In Depth
The Problem with Employee Badges As a Security Mechanism
Book Excerpt: No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing
I’m not pointing the finger at the Pentagon, but I need to illustrate an important point: Even the most die-hard government agencies hire sometimes-careless human beings. The policies in place at the Pentagon ensure that careless behavior does not negatively impact the security posture of the facility. Corporate security officers should take this lesson to heart. Visual identification of an employee badge is not a secure authentication mechanism. Do not allow any avenue for social engineers. Establish a secure access mechanism and back it up with sound, enforceable policy that employees understand and are bound to. Employees should understand that security is not someone else’s problem.
Electronic Badge Authentication
I think I have successfully established that visual badge identification is inherently insecure. Electronic verification is a much more secure method of authentication. Although electronic systems have security issues as well there are some no-tech attacks that are interesting as well. It is not uncommon to see proximity-type cards in plain view, as shown below. Alert…
This pair had executed good common sense and removed their site badges. However, their access cards were still in plain view. Although the possibility existed for cloning the cards, in the spirit of no-tech I suggest that an adversary can use visual inspection to learn quite a bit about the card’s owner. Consider the typical Datawatch card shown below.
The logo on the left-hand side of the photo reveals it was manufactured by HiD Corporation (http://www.hidcorp.com).The physical characteristics and lack of additional logos on the card suggest it is proximity-based and is not an iClass card. This means the card may be prone to duplication. The toll-free number on the card belongs to Datawatch Systems. An adversary can call this number, speak to a representative, read off the top row of numbers (which we’ve partially obscured), and learn not only the address and building number the card will work on, but in some cases the suite or room number as well.
Most people would never consider wearing a Post-It note on their forehead revealing their work address, but it’s surprising how many people wear these electronic cards in plain sight which reveal essentially the same information. Access cards like these should be removed when leaving a work area.
Reprinted with permission from Syngress, which published No Tech Hacking (http://www.amazon.com/No-Tech-Hacking-Engineering-Dumpster/dp/1597492159/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1195481578&sr=8-1) in November 2007.
Read more in CSO’s interview with Johnny Long (LINK TK).
Johnny Long
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
