Onsite Personnel "Don't Need No Stinkin' Badges" for PCI

Monday, May 30, 2011

Joe Schorr


A recent physical pen/social engineering project caused me to examine some of the new (October, 2010) PCI language.  In particular, there was something about Requirement 9 that wasn’t sitting quite right.

On this particular engagement I was tasked with performing some legal trespassing – trying to talk/sneak/bully my way into a secure facility. The method I chose was to act as a 3rd party vendor, tailgate some employees and then see how much access to the interior I could attain.

imageAs part of my cover, I wore a lanyard with a standard ID badge holder advertising me as an employee of a vendor that the client personnel should be familiar with.

After completing my stay in the facility, seeding some malware and compromising the data center and several computer systems, I simply walked out. During my time in the building I was never challenged. 

Part of this was due to poor security awareness.  Part was due to a poor badging policy, since I went past the front desk without signing in or being given a visitor badge.  This earned the company a 'non-compliance' mark (one of many).

PCI-DSS 2.0 addresses this scenario, to a degree,  in Section 9.3:

9.3 Make sure all visitors are handled as follows:
  • 9.3.1 Authorized before entering areas where cardholder data is processed or maintained.
  • 9.3.2 Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as not onsite personnel.

The missing link we need to find is in the section above this one in Section 9.2. While Section 9.2 does refer to ‘onsite personnel’ and proper assignment/distribution of badges, it does not mandate compulsory badging of employees.  In other words, while the PCI standard makes it mandatory to assign badges to all visitors, it stipulates no similar rule for actual employees.

What does this mean?  Well, in a nutshell, it means even in a company that assigns ‘Visitor Badges’ at a front desk it is a simple matter for a hostile ‘Visitor’ to take off the badge and look exactly like every employee in the building. 

And yes, there are many, many companies that do not require badges for employees but are under pressure to be PCI compliant.

One could even make the argument that by being compliant with the ‘Letter of the Law’ but not being compliant with the ‘Spirit of the Law’, one is actually creating a false sense of security.  

Why? Because employees conditioned to recognize a visitor as someone who surely will have a visitor badge may well ignore the determined attacker who says, “I don’t need no stinking badge” and trashes it to blend into the crowd.

To truly improve their security posture, companies should create (and enforce) a mandatory ID Badge policy for visitors and employees.  An effective policy coupled with good security awareness training will go a long way to closing up this particular gap in PCI-DSS 2.0.

Cross-posted from CyberTage.org

Possibly Related Articles:
Information Security
Policy PCI DSS Compliance Enterprise Security Regulation Penetration Testing
Post Rating I Like this!
Franc Schiphorst If the place is big enough even that won't work. With 500 or 1000+ people in a building and lots of visitors people will not check as the number of checks becomes tiresome meeting a visitor every few minutes (that is there for mr. x who works in a department you never heard of)

So in this case fix layer 1 = reception.
Add layer 2 = reception of datacentre and you only get in with employee/on registred appointment.

(and make sure/assume that equipment in layer one gets (maid)hacked so do similar layering in your network ;)
Ray Bernard I don't read john's recommendation as a silver bullet fix, especially because he says "goes a long way". Physical security (like many things) is a combination of people, process and technology - as trite as that may sound.

To be effective the full set of measures must address security within the context of the facility and its culture. A facility with buildings and hallways, some of which are designated as critical areas, can have policies and procedures that work effectively for its people and spaces. An open area facility design with walkways - not hallways - and glass-walled conference rooms would be treated differently.

A point about the recommended ID card policy is that it makes it feasible to identify intruders, whereas in the example given, it would not be feasible.

Your recommendation for layered security is of course spot-on, as one has to allow for engineered bypass/defeat of one or more points of security.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.