Once you’re inside of a building, the security posture of an organization is dramatically decreased. In this video, you’ll learn how the bad guys can get into your secure building without being noticed.
<< Previous Video: Dumpster DivingNext: Impersonation >>
If your organization requires people to walk into the building and be badged in as they’re walking through as a security concern then tailgating is something you need to be aware of. With tailgating, we’re using someone else to get access to a building.
Obviously, if I’m not part of your organization I don’t have a badge. It won’t allow me access in the door. So I need to find somebody to open that door for me and to allow me in.
And the guys who are coming in with this tailgating methodology aren’t doing it as an accident. They want to get into your building. And this is one of the easiest ways to get in and make sure that they can go undetected through your security.
In the book, No Tech Hacking, Johnny Long gave a very good explanation of how you can use tailgating to get into a building, and all you really have to do is plan just a little bit. What he did was get the same clothing that a third party telecommunications company would use to get into the building. He even created a special badge that looked just like a badge from a third party telecommunications company.
And then he came in and showed up and made sure he had a legitimate reason to be there. If you are a company that has telephones then obviously, a telecommunications company makes sense. You would be in the building checking the phones, checking the wiring, that type of thing. He also temporarily took up smoking. He’s not a smoker, but he realized that people are always coming in and out of the smoking area of a building. So if he can sit out there when nobody else was there and show up, he looks legitimate.
He looks like he should be there. It looks like he just walked out of the building to take a smoke. And all you have to do is now wait for somebody to let you back into the building as they are now returning from their smoke break.
I personally prefer bringing doughnuts. Instead of smoking cigarettes, I’ll show up with boxes of doughnuts.
My hands are full. Please let me in the door. I’ll try to catch people just as they’re coming in in the morning and who wouldn’t let a guy walk in with a box full of doughnuts. Maybe that’s just me.
Now what you’re inside, of course, very little people can do to stop you. There are no more badges internally. And if there are, there are very few badges on a floor or part of a floor of a building. Most of the security with this is going to stop right at the border.
You can’t badge people going from door to door inside of an organization or certainly, not from cube to cube inside of an organization. So at some point, you can have access to either a large or a certain size area of information. And that’s going to be very, very valuable. If you’re already dressed the part, you’ve already got access, now you can walk wherever you’d like.
To stop this type of tailgating activity, there needs to be some very specific security based around this. There needs to be very, very big penalties for somebody who’s going to let somebody in the building without a badge that hasn’t signed in or that is not escorted. You should be able to look at any one and see their badge and make sure they either have an internal badge for the company or they have a visitor badge for the company.
And if they don’t, you should ask them. You should be enabled to do this. This happened in an organization I was with.
I had a visitor badge. I put it on my jacket and I left by jacket at my desk to get a cup of coffee. While I was getting coffee somebody asks, I don’t see a badge. Who are you?
Now granted, I was in the security department. They were certainly keeping an eye out for that, but it should be the same no matter where you happen to be. In fact, it should also be that if you’re walking through the door it should be one scan and one person.
Sometimes this is one where people have to scan, walk through a door, and everybody else has to wait while that next person scans and the next person walks in the door. And if it’s a manual door this could take some time. That should be part of the security policy.
Sometimes you have these mantraps set up. These mantraps are designed so that you badge, then the door will swing and allow you into the building, and you must badge and everybody goes in one at a time or comes out one at a time to be able to get in and out of the building. And you don’t have a choice in that particular case.
Those types of mantraps or air locks are designed to make sure there is no tailgating. It’s very hard for two people to squeeze into that very narrow area. And if you did, it would be very, very obvious that two people were squeezed into that.
So you shouldn’t be afraid to ask. If you see somebody in your organization that doesn’t seem like they should be here or they don’t have your visitor badge or your company badge on them, it’s a great way to make sure that they didn’t tailgate to get inside of your building.
Category: CompTIA Security+ SY0-401