badges, id, social engineering, tailgating, kevin mitnik
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.


Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Scott Wright's editorials on a variety of security issues for non-technical business managers and home computer users. Please feel free to comment and help spread the word that managers need to think about their information security risks.

November 2011 Posts

Archives

  Scott Wright's Security Views
Blog Entry

How ID badges can hurt security and what can be done about it

Wednesday, November 9th 2011 @ 6:00 AM (not yet rated)    post viewed 24549 times

Most of us accept the need for ID badges in organizations that have more than a few people who recognize each other. It makes sense that we need a way to recognize those who are authorized to be there, even if we don't know them personally. ID badges help fulfill this need, for the most part. But they can be a weak link in security of the organization.

Inside Versus Outside

I recently saw a poster at a facility I was visiting that raised awareness about the risks of leaving your badge visible when you go outside the office. I've long felt that people who wear their badges in public places are making it easy for attackers to recognize employees of the organization at nearby parking lots, coffee shops and even mass transit systems.

Many organizations put information on their badges that makes it easier for co-workers to know the privileges that hvae been granted to the employee. Sitting across from somebody on a bus, or nearby in a coffee shop, you can often see many of these details if their badge is exposed. This is information that could be used against the organization in a social engineering attack.

It's better to have minimal information on a badge, in case it is lost outside, or just to reduce the usefulness to attackers who might see it when people inadvertently wear them outside the office.

Social Engineering With Badges

I recently read Kevin Mitnik's book "Ghost in the Wires", which details his emergence as a hacker and social engineer. Kevin described how easy it was to make a badge that looks official enough to fool 90% of the insiders when passing by them in a hallway. Virtually nobody is going to stop somebody they don't recognize if they have a badge that has the basic graphic elements that one would expect.

Adding a Layer of Security to ID Badges

So, you need a little more than just a visual badge to identify people properly. That's why many organizations with sensitive operations embed some electronics in the badge that can be used at automated access points. This works pretty well, as long as people don't hold the door open for others to enter the facility - an extremely bad habit called "tailgating".

For organizations that do not add this enhancement to their ID badges, you should have receptionists at each entrance to monitor the flow of people, and to inspect badges for authenticity.

No matter which approach you use, it's very important to inform staff that "tailgating" is a serious security vulnerability that is easy to address.

The Bottom Line

Employees must be educated to protect their badges with care, not to wear them outside, and not to allow anyone they don't recognize to follow them into a building.

Safeguards should also be put in place to ensure that entry points to facilities are well monitored. Badges should also have minimal information on them, and should be made difficult to forge, which can be implemented with commonly used RFID technology. Just keep in mind that any safeguards can be foiled, with enough resources and with social engineering approaches used by attackers.

 

 

Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
LinkedIn: http://www.linkedin.com/in/scottwright (please send a personal message first on LinkedIn if you'd like to connect, to ensure that you're not a spammer)


Did you find this post interesting?
If so, why not find out more?...

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.


Join the Streetwise Security Zone, or learn more about mobile security risks through the Honey Stick Project.


If your organization is looking for innovative ways to make its security investments more effective right now, CLICK HERE to learn more about Streetwise Security Awareness solutions.

 

Site Meter

 rate this post: very bad poor average good fantastic!
Comments

Copyright 2012. Security Perspectives Inc. All Rights Reserved.