The other day, WIRED posted an article about “How a Hacker's Mom Broke Into a Prison—and the Warden's Computer." Black Hills Cyber’s John Strand sent his non-hacker mother into a prison posing as a health inspector. Not only did she manage to gain access to computer systems associated with various prison networks, she even managed to get the warden to implant his computer by opening a malicious document. It reads like the screenplay to an Ocean’s Eleven reboot.
If physical access makes it so easy to get into all of the prison’s critical systems and potentially access critical data, it begs the question what does the Payment Card Industry Data Security Standard (PCI DSS) say about physical access vulnerabilities to PCI data? Enter PCI Requirements 9 and 10:
Requirement 9: Restrict physical access to cardholder data. Physical access to cardholder data or systems that hold this data must be secure to prevent the unauthorized access or removal of data.
Requirement 10: Track and monitor all access to cardholder data and network resources. Logging mechanisms should be in place to track user activities that are critical to prevent, detect or minimize impact of data compromises.
Obviously, PCI DSS addresses physical access, as every physical access point to PCI data needs to be restricted and monitored. Much like a prison, where physical access to the prisoners (PCI data) or systems controlling them is restricted and monitored, because their escape could potentially wreck havoc on society (or people’s bank accounts).
But wait, you say? The analogy breaks down here, because, according to this article, a hacker’s mom was all over the prison’s computer network because of her access to the physical environment? Clearly, there were no effective controls in place to prevent this from happening, you say? Here is the rub, that company was hired by the prison to test the physical security, point out where some of their controls were outdated, or how they could be improved. They asked to be broken into.
Surely the PCI standard has something comparable? Perhaps you have heard of Requirement 11?
Requirement 11: Regularly test security systems and processes. New vulnerabilities are continuously discovered. Systems, processes and software need to be tested frequently to uncover vulnerabilities that could be used by malicious individuals.
But does anybody apply the principles of Requirement 11 to Requirements 9 and 10? We think they should. How can you certify that physical access to your PCI data has been properly secured if you have not tested it in the same way you test the network? In this day and age, why would an attacker even bother trying to exploit the system remotely to get the PCI data when their mother can just walk in and steal it? We know adversaries: whether it’s your worst enemy or their mother; whether it’s on the network or in your workplace, reach out and ask us now!