Visitor management is the process of identifying and tracking all guests who enter your location. This can include employees from other locations, delivery personnel, contractors, family members, janitorial staff, etc.
Last month we sent out an Alert regarding a group of individuals on several college campuses claiming they were there to test campus dining equipment and point of sale systems. If this had happened at your office, would your staff have thought twice before allowing these individuals access to organizational systems? How many visitors are in your office right now? Do you remember how many came in yesterday? Do you know who was there on May 17th?
Social engineering attacks target unsuspecting staff and continue to be one of the most successful techniques for gaining access to sensitive systems and information. By claiming to be an employee or vendor with official-looking credentials, criminals can coax information from employees or gain physical access to systems. Criminals have been known to steal or purchase old vendor/contractor uniforms as a way to bypass security or avoid scrutiny. They may pose as janitorial staff, IT/networking employees there to “fix” something, or even auditors/consultants. Do you outsource your shredding to a service provider? When they arrive for their weekly pick up, are you verifying they are from the shredding vendor or are you basically handing a stranger loads of confidential details and allowing them to wheel it out the door?
Requirements for visitor management vary, but are included within the NIST SP 800-171 framework (Requirement 3.10.3), the PCI DSS (Requirement 9.2), and ISO/IEC 27001 (A11.1.1-A11.1.6). If sensitive information, like non-public information (NPI) or cardholder data (CHD), is present in the area, the following should be included in your visitor management procedures:
- All visitors must be properly screened and authorized before allowing them entry, and they should also be escorted at all times while onsite. Approved visitors should be given a badge or other method of identification that distinguishes them from regular staff. This will make it easy to quickly identify their role and ensure they are only able to access those areas for which they have been authorized. Limitations and expiration dates should be placed on visitor badges, and you should require that they are returned upon exit. Finally, be sure you have a process in place to immediately revoke ID badges from terminated onsite personnel.
- Be mindful of “tail-gaiting”, or unauthorized individuals trying to follow an authorized individual through a secure door without providing their own access card or code. This also applies toother employees or contractors. Make sure employees also don’t allow someone claiming they left their badge at their desk to follow them in – there may be a termination that they are not aware of, so it’s best to require everyone to follow the appropriate protocol. It is also important that employees are safeguarding their access cards and badges, and not leaving them unattended on their desks or in unlocked cars in the parking lot.
- A documented visitor log should be kept that details the visitor’s name, organization they are representing, and the onsite employee who granted them access. This log should be retained for at least 3 months, so it can be reviewed if you were to discover a device had been tampered with or information had gone missing. If you are using a manual sign-in sheet, it is also important that the log is legible – can you actually read the names? Do visitors note the time they arrive? Are they forced to sign out or do you just assume they left? (or are they actually hiding in the closet right now?)
- For highly sensitive areas, organizations will often install cameras that record all individuals entering/exiting the area. You may also take photographs of visitors, or scan ID cards and driver licenses.
- Review your visitor management procedures with staff as part of your ongoing security awareness training. You may also want to test employees to ensure they are following these processes. You can put on your trench coat and fake mustache, or you can enlist the help of third-party penetration testers to come onsite and see if they can successfully social engineer their way through the door.
For questions regarding visitor management procedures at your organization or to request sample visitor log files, please reach out to us.
Some additional guidance from the Security Advisor Team below:
[Burt]: So you hear about social engineering in theory all the time, but often don’t realize how possible an attack on visitor management is until you actually hear a real-life example. On a recent site visit, I ran across a school who experienced an incident first hand and shared the story with me (note: this was not an exceptionally large institution either, so it can happen ANYWHERE). In this particular case, the event involved one of the storage bins used for a destruction service (e.g. to destroy confidential data). An individual “not from the destruction service” showed up claiming the need to empty the bin. There was not a procedure in place that mandated confirming the person was from the legitimate service. As a result, the individual not only was able to take the bin, but someone from the department actually helped them wheel it out. The lesson was learned after the fact and now the institution is on track. But, this gives you an idea of how individuals with malicious intent have plenty of time on their hands and targets are not always places you may think of as prime candidates.