Vulnerability assessment is a term originating from the English language commonly understood as penetration testing. While this phrase is mostly associated with the IT industry, it also encompasses the examination of vulnerability to physical infiltration, and it is this latter meaning that I will focus on in this article.
What is Vulnerability Assessment?
Vulnerability assessment is the result of examining an object’s susceptibility to an attack conducted according to established rules – constraints imposed by the contracting party commissioning the assessment. This examination, alongside IT penetration tests (in the form of a cyber-attack), should be a component of every information security audit. In Poland, although its popularity is growing, it has not yet established a separate name, and the term “pentests” is mainly associated with attempts to breach network, server, website security, or broadly attack the entire “cyber ecosystem.”
Vulnerability assessment as a test for susceptibility to direct infiltration
Testing vulnerability to direct infiltration is a specialized service, and few firms in Poland have the capabilities to carry it out reliably. Such an assessment involves activities in the realm of OSINT (Open-Source Intelligence), HUMINT (Human Intelligence), hostile reconnaissance conducted by an experienced team of testers (agents), and the attack itself. Vulnerability assessment requires the application of various techniques, most commonly social engineering and tailgating, but also other techniques tailored to the client’s needs and incorporated into the agents’ action scenarios. The result of vulnerability assessment is a report, providing a basis for assessing the vulnerability of an organization, sector, or facility, containing detailed information and serving as the foundation for drawing conclusions and planning corrective actions.
When is it worth considering vulnerability assessment for direct infiltration?
The circumstances that particularly warrant conducting a vulnerability assessment include all security incidents, modifications to existing procedures, verification of employee training implementation, expansion of access control systems, changes in location, introduction of new buildings, floors, parking lots, areas, changes in physical security service providers + monitoring, and ongoing construction or renovation work. Each of these events creates circumstances in which the integrity of procedures and technical solutions may be insufficient.
Human as a weak point in security
The most common cause of security incidents is the human factor. Even high-quality technical solutions and well-developed procedures do not guarantee a high level of security. It is enough for an employee to have a bad day, deliveries and confusion at reception coincide, a security guard temporarily has too many tasks on their plate, there is insufficient security personnel available at a given moment, employees demonstrate a lack of understanding of the importance and purpose of existing rules, and even a decrease in vigilance due to daily routine can provide an opportunity for potential intruders to infiltrate.
Vulnerability assessment – the entry of an agent is a success, and not entering is an even greater success
When an agent achieves the intended goal of the test and exits without detection, such a test, understandably, is perceived as a well-done job. However, how can one determine if vulnerability tests have been conducted reliably and credibly when the agent does not enter?
The answer to this problem lies in the final vulnerability assessment, namely the final report. As previously mentioned, this report includes a description of the test subject, the date of its execution, information about the supervision of its progress, reconnaissance details, the course of test scenarios, and recommendations for each of the tested areas. When agents discuss and plan action scenarios, the client has full knowledge of the tested element of the organization or its environment, and in the report, they receive the result of this test. Therefore, the agent’s failure to achieve the goal is valuable information and indicates good preparation for threats foreseen in the implemented scenario.
Author: Michał Nosowski
Please familiarize yourself with other articles on our blog:
