Pentesters – do pentesting companies shy from physical pentesting? How do you, pentesters, perceive this part of the job? Do you consider it the integral part of your profession, just like you do with vulnerability scanning and managment? Or is it just “something different”?
hmm I think is all depends on the scope of the work. Like anything with Pen testing if you don’t have permission you just don’t do it as it could get you into trouble.
I personal think that all companies should take physical security and social engineer attack serious. I have read many books when all attacks on the network have failed however by walking in the company or ringing them 9 times out of 10 they have gained access this way.
Definitely agree Jamie.R, I just don’t want to be that guy. Let’s say i have permission and a signed authorization from the CEO but an overzealous security guard decides he needs to take me down. He may not wait for me to fish a piece of paper out of my pocket. No thanks.
There is risk involved of course.
However the realities are that not many companies are good at Physical Security.
If you have these concerns I would have some additional clauses in the engagement contract to cover the event of your own personal damage.
It doesnt stop it happening granted, but it gives you some insurance.