3.2. Conducting Site Exploration
No matter how you gain access to a target facility, be sure not to outstay your welcome. The risk of getting caught becomes exponentially higher the longer you stay on site. This is not to say that you should rush. Rushing is just as risky, but you should have a well-thought-out and flexible plan and know in advance what you're looking for. Sometimes this is not possible or the Rules of Engagement are deliberately vague and you have to do a little exploration. The following areas may be of interest to a penetration tester.
3.2.1. Reception (Is Not Security)
Sometimes it seems like it's all about reception. The purpose of reception is not security; that's very much a secondary function. Reception's main function is to welcome visitors and provide a face to the building. Who sees that face depends completely on the nature of the company, but it usually includes clients, salesmen, contractors and delivery men. It goes without saying that these groups are treated in very different ways.
In my experience there is nothing more dangerous for a company than to combine the function of meeting and greeting with security. They're completely different things and are not mutually compatible. For example, I've seen security protocols neglected on many occasions when reception was afraid of offending (what they believed to be) a VIP guest. This doesn't mean that reception shouldn't sign in guests or issue temporary badges, but all visitors to a company should ...
Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
