Collaborative Development of Comprehensive Cyber-Physical Penetration Testing Service by ALSOK and GMO Cybersecurity

Introduction

The ever-evolving nature of cyber threats necessitates comprehensive security measures. In response to this pressing need, ALSOK and GMO Cybersecurity by Ierae have collaborated to develop a state-of-the-art security diagnostic service known as the "ALSOK & GMO Cyber-Physical Penetration Test," aiming to visualize intrusion risks from physical spaces to cyberspace. This jointly created service is set to be proposed starting July 29, 2025.

Background

As the complexity of cyberattacks continues to escalate, it becomes crucial to determine whether existing security measures can withstand these threats. Threat-led penetration testing (TLPT) serves as a means to simulate real attack techniques on various systems. The Financial Services Agency of Japan urges regular TLPT implementation as a recommended practice in their guidelines. Furthermore, it has been highlighted in the safety standards by the Financial Information System Center (FISC) that physical security testing is becoming a significant focus, particularly among major financial institutions like banks and insurance companies.

This increasing need for robust security measures prompted ALSOK, renowned for its extensive security consulting experience, to partner with GMO Cybersecurity by Ierae, which holds a wealth of knowledge in cybersecurity penetration testing. Together, they have crafted the "ALSOK Cyber-Physical Penetration Test," a new service that not only assesses potential physical intrusions but also analyzes the risk of cyberattacks stemming from such breaches.

Service Overview

Features of the Service

- Practical Assessment of Physical Security

Leveraging ALSOK's decades of expertise in physical security, the service provides multifaceted evaluations and improvement recommendations tailored to clients’ specific needs.

- Realistic Attack Scenarios

The service employs attack scenarios modeled on actual cybercrimes that have occurred in Europe. One notable example is the "DarkVishnya" model, where criminals physically infiltrate an office to connect devices to the internal network, demonstrating the connection between physical security breaches and potential cyberattacks.

- Comprehensive Intrusion Risk Assessment

With the expertise of GMO Cybersecurity by Ierae, known for its top-tier white-hat hacking team, the service facilitates integrated diagnostics covering both physical and cyber dimensions, enhancing overall security.

- Tailored Scoping of Services

The tests target various vulnerabilities, ranging from physical access to internal network penetrations. Should there be limitations in the client's environment, assessments can be adjusted to focus solely on physical intrusions or network diagnostics. Additionally, the service includes a wide range of options based on client requests, such as exploring vulnerabilities identified within facilities.

- Visualization of Security Measures

Clients who utilize the "ALSOK & GMO Cyber-Physical Penetration Test" will receive a certification sticker as proof of their commitment to security. This symbolism showcases their investment in security measures, reinforcing their reputation as a trustworthy business.

Case Study

Prior to this announcement, ALSOK conducted a physical penetration test for Aozora Bank in Chiyoda, Tokyo. The management of Aozora Bank led this initiative, aiming to objectively assess the risks associated with sophisticated cyberattacks that involve physical approaches. The test, based on threat-led scenarios simulating real-world attack methods, effectively evaluated the bank's vulnerability to physical incursions and the corresponding access to their internal network.

The exercise was conducted without prior notification to the defensive team, thereby enabling a comprehensive assessment that included technical vulnerabilities as well as operational response capabilities. Following the test, leadership within Aozora Bank promptly initiated improvement activities to address the identified issues, resulting in enhanced measures for both cybersecurity and physical security.