The new year finds me refining methodologies and frameworks with a revived ambition to perform more physical security breach assessments. What is a breach assessment and why would anyone want to exceed the regulatory requirements of a logical penetration test? Answer...because some organizations take security a bit more seriously than others. Specifically, certain organizations need the extra assurance that they are less susceptible and more adequately protected from prevalent ailments that plague unfortunate news-worthy groups.
A breach assessment can incorporate a magnitude of test scenarios; however, the analysis is still fundamentally the essence of deriving effective and defective physical security controls in an attempt to assess the level of skill and effort necessary to breach security. For instance, a skilled lock-pick can bypass a relatively sophisticated physical access control much easier than a less experienced individual. Alternatively, the less experienced person may not bother with locks when they could just card the door or remove it altogether. Both of these scenarios are permissible and should be evaluated as part of a comprehensive breach assessment.
A breach assessment can simply test the effectiveness of physical security, or incorporate the logical penetration testing frameworks. As a result, this scenario often provides the insight into the specific infosec resources an intruder can leverage during the breach/penetration study. These opportunities may present themselves within the reconnaissance or planning phase as prepared email solicitations for a fabricated on-site visit. Alternatively, an opportunity to compromise a "not so" closed circuit IP based camera system may provide the needed leverage to circumvent physical detection during the testing phase.
Overall; and potentially the most important factor, is the ability to illustrate the requirement for more secure access controls through the use of impact. Upper "C-Level" management typically does not require nor do they need intricate details concerning the technical and/or procedural methods produced during the engagement. However, if the facts are consolidated and presented in a manner that portrays the most critical breach scenarios, then the organization is more inclined to obtain support and funding for remediation efforts.
The statement, "The server is prone to SQL injection attacks which could lead to compromise of PCI data" is far less effective than "The test team was able to enter the processing center from the loading dock and grabbed all the credit card numbers from our database". The second statement should have grabbed the executives attention.
In conclusion, a penetration test is a worthy effort to effectively assess an organizations logical security posture; however, a physical breach assessment can provide additional insight when performed in conjunction. The easiest choice in not always the most appropriate, so weigh the estimated value of compromise to your organization and choose the most appropriate approach.