Overview
My project idea is a company that performs companywide penetration testing but specialling in Physical/Environmental and internal vulnerabilities.
What makes my idea different is that not only is it a combination of: physical/Environmental; internal; social engineering and internal network security. We proceed under the black box penetration testing guise.
Once a client has paid for our services, we us an “accomplice” that will be aiding our testing from the inside. Just like if there was a real internal threat. Not only that. Depending on the scope of our service (we recommend a 1-year service),
we will plan with our contact, but no one else in the business will know a thing to generate the most authentic response. Our focus is the physical/Environmental and the internal threats, as these are often overlooked.
With a yearlong approach, all previous breach attempts and knowledge gained from them are combined into 1 final attack where we use all that we have learnt about the business to attempt a companywide breach.
Motivation
I am motivated to create this project as I am very interested in cyber security and penetration testing. Creating the documentation and processes will be interesting. If the project is successful, it may become my business or a business model I will adapt in a business I may create in the
future. With the rise in cyber criminals using ransom ware and phishing attacks during the pandemic companies have improved network security and education to reduce the effectiveness of those types of attacks.
As Physical/Environmental, internal, and social engineering security is often overlooked, having a business’s focus around those weaker points will fill a gap in the market and overall strengthen the visibility of those exploits and vulnerabilities.
Cyber crime during the pandamicDescription
The project is a business model that performs companywide penetration testing but specialling in Physical/Environmental and internal threats. As Physical and internal vulnerabilities often allow access to the internal network. The companies will
have their physical/environmental and internal security scrutinised. The way we test internal threat protection is by using an “accomplice”. The “accomplice” is a current employee that receives an incentive to preform actions on our behalf.
We first start will a small task, such as find a window that can open, and will increase the threat of the action only use photo evidence when presenting findings) The accomplice may also aid us in leaving security doors open for our technicians to gain access,
this is where the need for the combination of physical and internal security becomes apparent. If our operation scope is as we recommend (1 year service, and all areas of penetration testing). We normally start off our recommended service with a thorough reconnaissance of all outer
layers of the company. This includes: the companies’ websites, physical and wireless networks access points, physical security of the companies building and looking for points of compromise. A point of compromise is the point where public meets private (e.g door, window, or fence).
These vulnerabilities will be rated: Protected (protected from a breach or weather), safe (unlikely a breach could occur), unsafe (security is in place, but is lacking and a breach could occur) or unprotected (no security, a breach could happen anytime).
Following the reconnaissance phase, we will plan at least 1 attack a month minimum, where we attempt to gain access to any valuable resources, gain entry to restricted areas, gain access to the internal network, use our accomplice to aid us in the breach though most likely we will use a
combination of them to have the most effect. After each attempt, we list areas that were vulnerable or areas we were able to breach or where the accomplice had access. If these vulnerabilities are within the acceptable levels indicated in the scope, they will only be recorded and
used later by our team. If the vulnerabilities are outside of acceptable levels, they will be immediately reported to the company and not used for farther testing. This all leads to the final attack, where we use all the information that we have gained from all the following breaches to
attempt a company wide breach. This company wide breach will affect all aspects of the company and involves all areas of penetration testing. We will attack every vulnerability we have found all at once. we will do this when the company will not suffer much from any down time
from websites or services. Once we have conducted our final breach attempt. We will document everything and prepare for our meeting with the company where we will explain our findings, our accomplishments
where security is strong or needs improving. We may also be used for educating employees around social engineering and what to look out for with phishing emails.
Tools and Technologies
Our company uses social engineering through social media and other publicly accessible websites. Depending on how the complexity of the client company’s security, we may use the following to attempt a breach: public physical access,
using stolen credentials at check points or to gain access to secure locations or resources, using social engineering to try pass as employees or third parties to gain access. We may also use RFID badge/ID card signal duplicators to trick sensors to gain access.
We will need to have our go bags ready with a laptop running windows/Kali Linux tooled up to collect any unencrypted credentials or to access the network physically or via wireless; port sniffing; vulnerability scanning; website spidering etc.
Skills required
Business skills and knowledge, client management and communication skills, network knowledge and skills, Strong social engineering skills. Our technicians will also need to have some physical capability as they may need to climb fences or squeeze in tight spaces.
Penetration testing skills (physical, environmental, web, network, internal, external, social engineering). Skills related to RFID card readers and duplicators, signal jammers, signal grabbers and replicators.
Skills in public speaking, for presenting findings to clients. lecturing, coaching and teaching skills for educating client companies employees.
Outcome
The expected outcome from this project is to see if this business model would be viable, if it would be able to penetrate the market and be lucrative. If this project is a success, I may continue to develop it and create a business or a business model and adapt it to another business.
It will also be interesting to see how to develop a business such as this and to go through the process of how it is created. If this project is successful, the business created should fill a gap in the market and
help businesses better protect their assets and reduce the effect of cyber attacks of business that we service. A business such as this will also highlight the need to better physical/Environmental, internal and social engineering security.