When doing a PenTest we must take into account physical security. We want to make sure all the assets are secure and protected. 

Assets include data, facilities/physical area, employees/personal and hardware.

Keep in mind that an inside attack is more likely than an outside attack. This is often overlooked. 

While doing recon you should check out the buildings security. It might be easy to gain access to locations that you'd like to investigate in the future. If you do go on prem make sure you have a story. You don't want to get stopped and questioned and have your cover blown!   

The rings approach to physiucal security defines different levels of security zones within an organization. Each ring is a unique security zone where increase level of access is required. 

Perimeter Ring: Outter most ring. This focuses on securing the perimeter of the building/property. Think of gates, fences, cameras. 

Building Ring: This focuses on securing the building itself. Think of ID cards, alarms, biometrics, authentication, locks. 

Interior Ring: This focuses on securing specific areas of the building. The idea is to separate areas based on the required level of access. Think of ID Cards, access control systems, locks, security cages.

Data Center/Servers Ring: This focuses on securing the critical infrastructure. Think of ID Cards, access control systems, locks, security cages.

Secure Room Ring: The highest level of security is required. Access should be tightly control and limited to only those who are authorized. Think of armed guards, biometrics, two factor authentication.

We want to make sure we are securing our data as physical access makes the lives of an attacker easier.

Thing to think about to secure data:

• Password Policies

• Screensavers/locked screens

• Banners on devices display upon login detailing who can access it

• Computer Systems should be secured

• Do not allow unknown people in building

• Question people who are unidentified

• Harden the OS/disable USB