Red Team testing, also known as physical security penetration testing (pen test), occurs more often than is typically discussed amongst perhaps more sexy topics in the security industry, such as Executive Protection, Workplace Violence Prevention, or Event Security. However, the benefits of red team testing done well can help solidify the essential elements of a good security program.
Having administered 200+ red team tests over the course of the last half dozen years, I can say that no two exercises often happen to be the same. Varying days of the week and times of the day that tests are conducted will help ascertain the most robust, holistic information regarding a security program. And just because you might test one day at one time does not necessarily make the result of that particular test the definitive answer and solution; it could have been a case of the personnel working that specific day & time having a good or a bad day. You will want to test that day and/or time more than once to ensure the same pattern is in place before jumping to a conclusion…not too dissimilar to surveillance in workers comp cases to refute the “Good Day” defense by the injured party.
The personnel conducting/administering the red team test should also be generally creative people in their approach and mindset in undertaking the assignment. Given creative freedom (within reason) could yield surprising results from the red team test. For example, in one instance our agent was assigned a red team test in the San Francisco Bay Area for a client. Through his advance research on the location and company, we created a cover story where he was a journalist from the local newspaper who desired to print a story regarding the client company in which he would provide very positive press for their philanthropic endeavors. This client location had security officer personnel in place and restricted elevators to each floor.
The agent approached the security officer personnel at the lobby desk explaining his cover story and requested to meet with an individual (whom he had located in his advance open source research) who was a C-suite person for the company in that location. Within 10 minutes the agent was sitting across a conference room table from this C-suite executive. His credentials were not checked. No screening mechanism was enacted. All because the company strongly desired very positive press to be published on them and the opportunity was presented for just that. This is a very good learning experience for the company. No one has to lose their job nor should they be disciplined. It should be used as a learning experience to grow from for all parties involved. Having a creative agent in place who understands security programs while pushing boundaries in an authorized manner can achieve such objectives.
To summarize what steps were taken from the example above to get to the end result:
1. Agree upon a specific statement/scope of work (SOW) between the service provider and the client.
2. Resource/assign an agent that is creative in their approach.
3. SOW should have had an allowance for advance research time prior to the read team test to be conducted. I would generally recommend up to 5 hours of time for this in most circumstances but can change based on scope, square footage needing to be tested, and other factors.
4. Expect about the same amount of time on-site for conducting the red team test plus a couple of
additional hours for report writing time.
5. Expect to have near real-time communications between the agent/service provider and the client during the operation being conducted to ensure clarity of the exact timing of the red team test. Doing so will help avoid any potential “bad actor” confusion with the operation.
6. Depending on the company’s goals and objectives of the red team test operation, consider having a tracking tool in place that is shared between the service provider and the client representative that is available on a moment’s notice. It could be an Excel sheet or other software that details dates, times, locations as well as names and contact numbers for each respectively should a timely call or note have to be placed. An effective tool will allow for filtering and sorting the content uploaded to moderate varying forms of data for different parties who might desire to see it.
7. While testing people and their practices is the most common denominator in physical security red team tests, there is a component of testing the company’s security technology as well. How well the agent can be seen on camera while conducting the test, any bypassing of access control systems in place that might have been had, or any alarm systems that might have (or should have) been activated when accessing a more vulnerable area of the company’s space are all aspects of security technology that should be looked at while the red team test was conducted. This can be done after the fact, it doesn’t have to be real-time, but doing so ensures the company equipment is also functioning properly.
Trusted Global Private Security Services
Serving US: Seattle, Bellevue, San Francisco, San Jose, Sunnyvale, Cupertino, Fremont, Milpitas, San Mateo, Palo Alto, Sacramento, Los Angeles, Orange County, San Diego, Las Vegas, Reno, Portland, Vancouver WA, Honolulu, Denver, Salt Lake City, Dallas, Houston, San Antonio, Austin, Chicago, Columbus, Atlanta, Tampa, Orlando, Miami, Charlotte, Washington DC, New York City, Boston
Serving International: Vancouver Canada, Mexico, Guatemala, Panama, Brazil, Argentina, Chile, Peru, Ireland, United Kingdom, France, Spain, Italy, Switzerland, Germany, Czech Republic, Netherlands, Poland, Hungary, Turkey, Ukraine, Russia, Saudi Arabia, United Arab Emirates, South Africa, Kenya, Nigeria, Algeria, Egypt, India, Bangladesh, China, Thailand, Cambodia, Vietnam, Philippines, Indonesia, Japan, South Korea
