Even if you don’t have a key, it can be very easy to pass through a locked door. In this video, you’ll learn how the bad guys use tailgating and impersonation to gain access to buildings and information that normally wouldn’t be accessible.
<< Previous Video: Phishing Next: Dumpster Diving >>
Tailgating is a technique where somebody uses someone else to gain access to a locked area, restricted area, or perhaps a building. You see this often if somebody badges in that someone walks right behind them without badging in, that is a case of tailgating. A good example of how you could learn how to tailgate is in Johnny Long’s book, No-tech Hacking. He describes dressing very similar to what the local phone company dresses like since those people tend to go in and out of buildings every day. It’s a third party, there’s a legitimate reason for them to be there, and you blend in with everyone else.
Johnny also mentions that you might want to take up smoking. You can sit in the smoking section, wait for people to come out on break and as they’re going back in, you’ve already had a conversation with them. You simply follow them back into the building. Another technique that I like is to bring a large group of donuts. Have a couple of boxes, your arms are full, you can’t badge in, and you have someone hold the door as you’re rushing inside with those delicious donuts.
Once you get inside that first security door, you’ve got a lot of options. Most organizations don’t have a lot of other locks after that point. And once you get into the building, you can now get a lot of access to things that normally would not be available to you. The best way to stop tailgating is to train your users on what policies are acceptable when coming into the building.
There of course, needs to be a policy for visitors, so you should be able to identify anyone. Maybe visitors get a very particular colored badge, and they’re required to wear their badge everywhere they go. You also want to make sure that when someone is scanning in or badging into a door, that it’s one person at a time. Sometimes there is even a mechanical door that restricts access, so that only one person can get through at a time. These mantraps or airlocks are ways to prevent more than one person from coming in or out at a time.
These also remember whether you’re inside of the building or whether you’re outside of the building, so you can’t simply slip your card to someone once you’re inside and have them also come through because the system knows you’re already inside the building. It’s not going to allow you inside twice.
One of the best things you can do is train everybody in your organization to ask questions. I’ve been in organizations before with a visitor badge, I’ve taken my jacket off, left it in the conference room, went to the coffee machine, and I’ve had people stop me and ask me, where is my badge? That’s the best thing you can do to prevent somebody from wandering around inside who really shouldn’t be there.
Impersonation is another method of trying to get inside of an organization. It’s something where you’re pretending to be someone you aren’t. And this doesn’t have to be in person, it could simply be over the phone. People who are very good at impersonation will try to find out as much information as they can about your organization.
They’ll gather information from the dumpster. They’ll find out information on LinkedIn, whatever method they could use to become more familiar with your organization. And then they’ll call and say, hi, I’m Bob from the help desk in Dublin, Ohio. I’m just calling to find out about a ticket that you opened recently. They’re trying to use particular words and people’s names to be able to make you comfortable with communicating with them.
Another common impersonation technique is to call someone and say that you’re from a much higher level within the organization. You’re in the executive vice president’s office, and you’re looking for a very particular piece of information because the executive vice president is going into a meeting right now with the CEO, and I need that information right away. The impersonation techniques can take many different forms, and you have to be ready for anything.
Some people are very intimidated by things they don’t understand. And one of the things you can do is to throw a lot of technical details around, information that would be well above the head of who you’re calling in an attempt to try to get information out of them. And most of the time this technique is one where you want to put people at ease, you want to have a conversation. You want to be their buddy, and the more they like you and know you, the more apt they are to provide you with the information you need.
You want to be very diligent about looking for impersonators. Make sure you’re looking for them all the time. Never volunteer information, you should never be providing anyone with your password, with your credit card number, or with your social security number, and certainly not over the phone to someone you’ve never met before. Don’t disclose anything personal about yourself or the organization. Sometimes they’re using you to gather information that they can use to impersonate to someone else.
One technique that’s always useful is to tell them that you’ll call them back, and you can verify the number, verify who they are, and then try to connect from the other side to help validate who you might be talking to. Ultimately, you can always verify through other means. Whether an email, you can ask for a supervisor or find some other method to set up some level of trust, so that if you do need to provide some very important information, you know exactly who you’re providing it to.