6.3. Collecting Photographic Intelligence
Prior to commencing a physical penetration test it is desirable to build up photographic intelligence of the target building itself as well as staff, the general environment, and other points of interest. Usually, this is performed before the physical test itself with as much lead-time as necessary. The nature of photographic surveillance will vary between assignments but you should aim to build as comprehensive a dossier of information as possible. At a minimum you should come away with photographs of the following:
Target Buildings Take as many photographs as you can from as many angles as possible to build up a comprehensive image of the target location.
Points of Ingress/Egress Ensure you know where all the entrances and exits are and what means are in place to protect them. Think beyond the obvious, under certain circumstances a fire exit can also be an entrance.
Access Control Does the target use swipe cards, pin codes, proximity badges or bar codes to permit entry? Note that in some cases, permanent members of staff have proximity badges whereas visitors are issued temporary badges that have bar codes or which must be shown to security. Get photographs of the card readers themselves for technology analysis later. Believe it or not, sites that require visitors to be escorted are generally less secure, because in practice it is quite unworkable and staff soon tire of escorting their guests to the bathroom. Consequently, people are used ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
