By /

Back to: Data Center Physical Security Professional

0

Lesson 7.2: Physical Penetration Testing (Red Teaming)

1. Learning Objectives

By the end of this lesson, you will be able to:

  • Define Red Teaming and distinguish it from a standard security audit.
  • Draft a Rules of Engagement (ROE) document to ensure safety and legality.
  • Explain the function of a “Get Out of Jail Free” letter.
  • Identify common tools used by attackers, such as the Proxmark3 (Badge Cloner) and Under-Door Tools.

2. Audit vs. Red Team

  • Security Audit (Checklist): An inspector walks around with a clipboard.
    • Question: “Do you have a policy against tailgating?”
    • Answer: “Yes.”
    • Result: Pass.
  • Red Team (Simulation): An adversary attacks the facility.
    • Action: The adversary tries to tailgate behind a smoker.
    • Result: If they get in, you Fail, regardless of what the policy paper says.

Goal: The Audit checks compliance. The Red Team checks effectiveness.

3. The Rules of Engagement (ROE)

Red Teaming is dangerous. If a Red Teamer jumps a fence at 2:00 AM, a guard might mistake them for a terrorist and use force. Strict rules are required.

Key Components of ROE:

  1. Scope: What is off-limits? (e.g., “Do not enter the CEO’s office,” “Do not cut any power cables”).
  2. No Destruction: “Pick the lock, don’t break the window.”
  3. The “Stop” Word: A safety code phrase. If a Red Teamer says “Exercise-Exercise-Exercise” or “White Flag,” the guards must stop immediately.
  4. The “Get Out of Jail Free” Letter:
    • A document signed by the CEO or CSO.
    • It states: “The bearer of this letter is a consultant authorized to test security. If found, please call [Phone Number] to verify.”
    • The Red Teamer keeps this hidden and only reveals it if they are handcuffed or about to be arrested.

4. Common Tactics & Tools

Red Teamers use a mix of social engineering and high-tech gadgetry.

A. Badge Cloning

  • The Tool: Proxmark3 or Flipper Zero.
  • The Attack: The attacker stands next to an employee in a coffee shop or elevator. The device reads the card in the employee’s pocket (from ~30cm away) and copies it.
  • The Result: The attacker writes that data to a blank card and walks into the data center as a “valid” user.

B. Physical Bypasses

  • Under-Door Tool: A stiff wire used to grab the handle on the inside of a door and pull it down. (Works if there is a gap under the door).
  • Canned Air: Spraying inverted canned air through a gap in a “Request to Exit” (REX) sensor. The cold fog tricks the thermal sensor into thinking a person is there, and the door unlocks.

C. Social Engineering

  • The “Box” Trick: Carrying a heavy box with both hands and looking struggling. People naturally hold the door open for you.
  • The “Smoker” Trick: Standing in the smoking area, chatting with staff, and walking back in with the group.

5. The Deliverable: The Report

The value of a Red Team is not “We got in.” It is “Here is how we got in, and here is how to stop it.”

Sample Findings:

  • “We breached the perimeter by tailgating a delivery truck.” -> Fix: Install a vehicle airlock.
  • “We bypassed the Server Room door using a jagged piece of plastic (Shimming).” -> Fix: Install latch guards (astragals) on all doors.
  • “We cloned a receptionist’s badge.” -> Fix: Switch from 125kHz Prox cards to encrypted iCLASS SE cards.