Physical Penetration Testing

The founders of Prometheus Global were pioneers in the field of Penetration Testing in the early 1990s. In turn, they have imparted their methodologies, techniques and knowledge to a new generation of operators who have embraced the latest in penetration techniques. The marriage of this knowledge with cutting edge technology has resulted in an unparalleled depth of experience and expertise into Penetration Testing.

Prometheus Global understands that security is about more than just controls. This is why our Penetration Testers are also trained in Social Engineering and special attack and deception techniques. We will employ the same methods that malicious actors would use against your organization. For example, methods use such as force on force, dumpster diving, lock picking, social engineering, physical access compromise and 'simulated sabotage' would be utilized. While these techniques may seem extreme, it is important to remember: "Bad guys don't follow rules, and they don't play nice."

Before we test your organization, we provide you with a fully documented test plan and work with you to find an acceptable level of exploitation, and define Rules of Engagement for the operation. We will notify you immediately if the test results include any critical security flaws or any other event that would require emergency intervention for your organization. After completion of the Penetration Test, Prometheus Global's security experts will report the findings to management and security personnel, illustrating the techniques, analysis, and results of the assessment. The report covers:

  • Executive summary
  • Technical vulnerability report
  • Design weaknesses
  • Process and Procedural weaknesses
  • Physical, Electronic and Cyber Weaknesses
  • Personnel and training weaknesses
  • Other security weaknesses
  • Recommended mitigation/remediation measures
  • Other recommended actions on maintaining a secure environment

The ever-increasing volume, complexity and sophistication of attacks on organizations requires that you maintain constant vigilance in all aspects of threat protection. We work with you to determine the appropriate frequency for penetration testing to ensure that your organization and its personnel are protected from new sources and types of malicious attacks.

NOTE: The goal of a Penetration Test is to break into an organization and determine how to prevent future intrusions. To do so, Prometheus Global's security experts must necessarily pose temporarily as bad actors. Truly bad actors are not constrained by client requirements, operational issues or proper authorization. While Prometheus Global takes careful measures to avoid any negative impact while posing as bad actors, as the attack techniques necessarily become more direct, and the risk of negative impact rises. Another way of viewing the process is thus:

Prometheus Client
Cooperative Cooperative Low
Cooperative Hostile
Hostile Cooperative
Hostile Hostile High

The vast majority of Physical Security Posture Assessments fall into the top category, Cooperative-Cooperative, with some elements of Cooperative-Hostile. Penetration Testing normally falls into the bottom two categories, where the Prometheus Global assumes a hostile posture and utilizes a larger and more ‘unfriendly’ set of methods. Some of the techniques utilized by Prometheus Global are Force on Force exercises, electronic systems manipulation, IED/VBED infiltration tests, social engineering and spear-phishing, infiltration and tail gating activities, identification forging, active eavesdropping, and other advanced adversary activities. These practices carry an element of risk which may not be suitable for certain organizations, in which case we recommend a Security Posture Assessment using industry-standard auditing and assessment methods as an alternative.