Physical Security

Many cyberattacks happen remotely, but sometimes, it's what's on the inside that counts.

A Physical Security Implementation, Testing, and Assessments is designed to physically penetrate your environment. Expected results may include: 

  • A "trophy" item taken from one of the locations tested 

  • Results of attempts to access the network inside the target location 

  • Descriptions of flawed physical security processes that led to a compromise 

  • Photographic or other evidence that unauthorized access to sensitive areas took place

An image of an outdoor security camera pointing down to the right.

Methods that DJPaA may use to attempt to penetrate your environment include: 

  • Identifying personnel within your organization who may have sensitive information 

  • Examining public information found on the Internet, including that of employees, vendors, business partners, or other trusted individuals or companies 

  • Impersonate trusted individuals from your organization or other companies 

  • Phone, email, text message, message board, or other communications with your employees 

  • Reconnaissance of information about the company that may lead to an attack escalation 

  • Asking an employee to perform tasks that are intended to provide proof-of-concept for a compromise of your environment 

  • Physically entering a sensitive area inside your environment, DJPaA will make multiple attempts, using different methods, to compromise your environment. The results of these attempts will display the general security posture of your organization.

A Physical Security Assessment is generally performed in a non-putative manner, to identify the flaws in your process rather than call attention to the actions of individuals. However, in some cases, it may be appropriate to formally discipline individuals who performed significantly worse than the overall security posture would indicate. An initial step in security system analysis is to characterize the facility operating states and conditions. This step requires developing a thorough description of the facility itself (the location of the site boundary, building locations, floor plans, and access points). A description of the processes within the facility is also required, as well as identification of any existing physical protection features. This information can be obtained from several sources, including facility design blueprints, process descriptions, safety analysis reports, environmental impact statements, and site surveys

Victim and Threat Identification

  • Determine Consequences of Access and Compromise of Personnel, Devices, and Infrastructure

  • Facility, Victim, and Location Characterization, and the Risks, Safety, and Security of Personnel, Devices, and Infrastructure

  • Severity and Estimation of Threats, Risks, Access, and Damage to Personnel, Devices, and Infrastructure

  • Threat Hunting of Apparent and Hidden Information, Threats, and Risks

  • Analyze Protection System Effectiveness to prevent Digital and/or Physical Access to Personnel, Devices, and Infrastructure compromise.

  • "His record of corporate successes in a highly competitive cybersecurity environment speaks for itself."

    -Timothy M. Opsitnick

  • " In particular, he provided the core capability we needed to execute a recent cybersecurity assessment for the U.S. Department of Energy (DOE)."

    -Ranson J. Ricks

  • "David has impressed me with his ability to maintain a high degree of security knowledge in a field that is constantly changing."

    -Timothy M. Opsitnick