A recent physical pen/social engineering project caused me to examine some of the new (October, 2010) PCI language. In particular, there was something about Requirement 9 that wasn’t sitting quite right.
On this particular engagement I was tasked with performing some legal trespassing – trying to talk/sneak/bully my way into a secure facility. The method I chose was to act as a 3rd party vendor, tailgate some employees and then see how much access to the interior I could attain.
As part of my cover, I wore a lanyard with a standard ID badge holder advertising me as an employee of a vendor that the client personnel should be familiar with.
After completing my stay in the facility, seeding some malware and compromising the data center and several computer systems, I simply walked out. During my time in the building I was never challenged.
Part of this was due to poor security awareness. Part was due to a poor badging policy, since I went past the front desk without signing in or being given a visitor badge. This earned the company a 'non-compliance' mark (one of many).
PCI-DSS 2.0 addresses this scenario, to a degree, in Section 9.3:
9.3 Make sure all visitors are handled as follows:
- 9.3.1 Authorized before entering areas where cardholder data is processed or maintained.
- 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as not onsite personnel.
The missing link we need to find is in the section above this one in Section 9.2. While Section 9.2 does refer to ‘onsite personnel’ and proper assignment/distribution of badges, it does not mandate compulsory badging of employees. In other words, while the PCI standard makes it mandatory to assign badges to all visitors, it stipulates no similar rule for actual employees.
What does this mean? Well, in a nutshell, it means even in a company that assigns ‘Visitor Badges’ at a front desk it is a simple matter for a hostile ‘Visitor’ to take off the badge and look exactly like every employee in the building.
And yes, there are many, many companies that do not require badges for employees but are under pressure to be PCI compliant.
One could even make the argument that by being compliant with the ‘Letter of the Law’ but not being compliant with the ‘Spirit of the Law’, one is actually creating a false sense of security.
Why? Because employees conditioned to recognize a visitor as someone who surely will have a visitor badge may well ignore the determined attacker who says, “I don’t need no stinking badge” and trashes it to blend into the crowd.
To truly improve their security posture, companies should create (and enforce) a mandatory ID Badge policy for visitors and employees. An effective policy coupled with good security awareness training will go a long way to closing up this particular gap in PCI-DSS 2.0.
Cross-posted from CyberTage.org