Standards & Case Studies
Physical findings land harder when they map to current standards and real failures. This chapter gives you a translation layer from offensive observations to governance language, while keeping a few case studies that show how access, process, and authorization failures become very expensive quickly.
Information
Standards Mapping
| Reference | Why It Matters | Use In Reporting |
|---|---|---|
| NIST CSF 2.0 | Lets you anchor physical findings in Govern, Protect, Detect, and Respond language | Useful for executive summaries and cross-program remediation |
| ISO 27001 / 27002 | Provides physical perimeter, monitoring, and media-handling control references | Strong for audit-driven clients and policy alignment |
| UL 294 | Helps frame access-control hardware quality and tamper resistance expectations | Useful when badge readers and door hardware are part of the finding |
| OSDP Secure Channel | Modernizes reader-controller communication versus insecure Wiegand deployments | Use when exposed reader wiring and cloning risk appear together |
| ONVIF / CCTV guidance | Frames camera management and interoperability expectations | Use when surveillance coverage or camera network exposure is weak |
Make Physical Findings Easy To Fund
Case Study Patterns
Coalfire Iowa Courthouse
Physical testers with authorization were arrested after local law enforcement and local stakeholders were not aligned on the engagement.
- • Lesson: authorization must be socially and operationally distributed, not just signed
- • Lesson: after-hours physical work needs explicit local coordination
Target HVAC Vendor Path
A trusted third party became the route into a much larger environment, showing how contractor trust and operational access can bypass stronger central assumptions.
- • Lesson: vendor workflows are part of physical and identity security
- • Lesson: "authorized presence" should not imply broad network trust
MGM Help Desk Social Engineering
Not a classic physical breach, but an instructive reminder that identity confidence and human verification still fail when urgency and familiarity win.
- • Lesson: challenge culture and trusted callback processes matter across channels
- • Lesson: physical and digital identity workflows should not be separated in analysis
Failure Modes To Call Out Explicitly
- • Authorization exists on paper but not in the awareness of local guards, reception, or law enforcement
- • Badge systems are treated as strong despite insecure reader wiring, weak credential tech, or no anti-tailgating culture
- • Cameras provide presence theater without useful identification or meaningful response
- • Visitor and contractor processes create trusted humans who then move unchallenged into technical attack paths