(ID999) INCIDENT RESPONSE - Tel: UK 0044 1732 897 601

Physical Risk Exposure Analysis (PREA)

What is PREA and why was it created?

Back in 2008 BII were approached by a US communications company who were interested in engaging services around data leakage, primarily from the physical/human level. In particular our client required help answering questions about whether they had an internal personnel problem. The organisation had up to date security policies and tier one technology in place but it was clear that data was being leaked. Our client stated they did not want to confuse the request for an IT pen test and that the emphasis had to be on human activity with a variety of data egresses, both physical and electronic.

BII created a unique statement of work by planning an attack scenario using methods which would be most effective against the target organisation. The aim was to exploit all cyber electronic communications as well as physical site security and staff vulnerabilities.

The BII aggressors would seek to retain/report anything regarded as a valuable asset (information). The report could then be used to mitigate real life scenario threats and would include threat impact ratings based on factual recorded evidence.

How can your organisation use PREA?

This chapter of service from BII Compliance presents selected PREA methodologies to stress test the threat imposed by an aggressor/s in a cherry pick fashion due to PREA's comprehensiveness. Your selected phases of testing will be conducted in a fashion which best assesses the potential vulnerability against a broad range of potential threats to your organisation. Simply select the service codes you are interested in and contact BII today to arrange a date to discuss your PREA service.

Project delivery plan

Following your selection BII will produce a statement of work document or 'test plan' which clearly defines areas of BII’s engagement for the operation. BII will notify your organisation immediately if the test discovers any critical security flaws or any other event that would require emergency intervention for your organisation. BII experts will deliver a full report of findings to your appointed contact directly using military grade encrypted email. The report will illustrate the retrieval techniques, analysis methods, and results of the completed assessment.

PREA blade services

The PREA service includes many blades of delivery to determine physical risk exposure analysis through the following deception and data retrieval techniques. Many clients that have reviewed PREA regard it as too comprehensive for their current status and therefor have a desire to cherry pick the services they wish to package. BII have seperated the services as below:

  1. Preliminary Intelligence Gathering
    1. Human Intelligence (HUMINT)
    2. Signals Intelligence (OSINT)
    3. Open Source Intelligence (OSIG)
    4. Imagery Intelligence (IMINT)
    5. Social Media Intelligence (SMI)
       
  2. Cyber & Comms Social Engineering (CCSE)
    1. Spear Phishing Attack Scenario (SPAS)
    2. Trojan USB (TUSB)
    3. URL and Email Manipulation (URLEM)
       
  3. Cyber Penetration Test (CPT)
     
  4. Physical Penetration Test (PPT)
     
  5. Tech Surveillance Counter Measures (TSCM)
    1. Tamper evidence seals

Human Intelligence (HUMINT)

Intelligence gathered directly from human sources; in general, HUMINT refers to privileged, although not necessarily classified or formally confidential, information obtained from insiders under false pretences. The act of gathering such information is referred to as social engineering. The skilled use of human intelligence gathering will give the BII operating team a considerable edge when penetrating any organisation

Signals Intelligence (SIGINT)

Intelligence gathered through the use of interception or listening technologies; breaching site-wide wireless networks from outside the target core is a form of SIGINT

Open Source Intelligence (OSINT)

Intelligence that draws on information from public sources; these sources are most likely to be found either on or via the internet. Employee information, for instance, is particularly useful when engaging in pretexting and other forms of social engineering.

(CCSE) - Trojan USB data stick security exercise

This exercise records incidents where users insert and execute enticing contenton USB sticks scattered throughout a workplace or nearby. This could be an easy way for an attacker to gain access to the internal network and escalate his/her privileges.

USB sticks/CD's will be created with media incorporating a harmless test client e.g. Excell worksheets titled 'Salaries' or 'Confidential'. The devices will be supplied to the client prior to distribution for testing.

When the USB content is executed/run the program will report the active machine and user source information to a remote logging server controlled by BII.

Spear Phishing Attack Scenario (SPAS)

Due to the success of phishing attacks, malicious phishers have developed spear phishing. Instead of sending out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common and usually higher profile. The e-mails usually are sent from organisations or individuals the potential victims would normally get e-mails from, making them even more deceptive.

Imagery Intelligence (IMINT)

Intelligence gathereds through recorded imagery, i.e. photography. If possible, photographs of the target site and possibly staff should be acquired in the preliminary phase, depending on the nature of the engagement. The value of good photographic intelligence cannot be understated. IMINT also refers to satellite intelligence; however satellite imagery is a cross over between IMINT and OSINT as far as it extends to Google Earth and its equivalents.