Is tailgating a cyber security concern for your organization? The social engineering attack requires a physical presence from the bad actor to gain access to your facilities. Cyber security isn’t solely relegated to the likes of intrusion prevention on your network. The whole methodology of cyber security works on the potential of an intrusion or attack being launched from every possible avenue.
Any security officer worth their salt is going to recommend different methods of remediating the risk an unwanted presence has in the workplace. There are also numerous methods of prevention, which will be covered over the course of this guide. Of all the cyber attacks, tailgating is one of the more effective ones, as you’ll discover.
What Is Tailgating?
The actual act of tailgating can occur in a few different ways. They almost all operate on a level of misplaced trust from your normal rank-and-file employees in a bad actor. Simply put, a hacker or attacker is using the trust and goodwill of an employee to gain access to a facility. This can be handled through something as mundane as claiming they misplaced their security badge or forgot the security code.
In almost all instances of tailgating, however, there is a social component. The offender has to make contact with someone, or they’re relying upon certain notions of a social contract. You’ll also see common tactics like posing as service personnel, like someone dressed as part of the local electric company, gas, or other common utilities.
How Does It Work?
Tailgating works by allowing an offender to enter the facility with permission as it were. Your employee might be thinking they’re doing a good deed for the day, helping a fellow worker get inside to start their shift.
Really, what it comes down to is a failure of training. Now, that isn’t to say your employee is a risk, but this is a risk posed to any organization that lacks crucial training. Almost all tailgating attacks are the result of a flaw or hole in the overall security posture of an organization.
Once inside, the bad actor has free reign. They could realistically log into any computer, and gain access to the server room, or any other potential resources.
Why Is It a Risk?
Imagine having an unauthorized person in your home, with free reign of everything. That’s the same sort of risk a tailgating attack poses. There are numerous methods for starting a full-blown attack that just require a physical presence to get things going.
One of the biggest risks associated with this sort of attack comes down to something referred to as the CIA triad in cyber security and data assurance. The triad is something you’ll see come up time and time again with cyber security methodologies.
To put it succinctly, the confidentiality, integrity, and accessibility of your resources can be compromised. This is an especially big risk if you work in certain industries where security compliance is required, as this can place you in violation of any regulations.
Further, the integrity of data being compromised leads to many dire circumstances. A client could download a file that compromises their own network or computer. Subsequently, a ransomware attack could be initiated with something like customer records, medical files, or any number of sensitive pieces of data.
Having someone inside the building, conducting an attack doesn’t have the same sort of safeguards and methods of prevention you’ll see with external intrusions through a network.
Methods of Prevention
Thankfully, there are a few ways to mitigate tailgating attacks. Some of these should take more precedence than others, especially given how damaging a tailgating attack can be.
The first and most vital of any remediation steps taken towards this sort of attack is always going to be training. Understandably, you’ll often hear this brought up time and time again regarding any sort of intrusion or attack. This is for a very good reason.
You can put all the stop gaps and controls in place you want, but your organization is only as strong as the people working there. A workforce needs to be educated and capable of discerning when they should seek out assistance to avoid a potential hazard or attack.
Unfortunately, it is often within people’s good nature to let a fellow employee in, but you want to make sure the workforce in place understands procedures are being followed to the full letter of the policy.
An educated workforce should heavily cut down on potential attacks. While it does take time away from actual work, there is something to be said about a prepared workforce. However, don’t take this as a one-off event, training needs to be a regular event.
Mantraps are a physical control and one of the few sure-fire ways to prevent tailgating. While you may be familiar with turnstiles, mantraps are a bit different in concept. A mantrap is a room with two doors and a method of authenticating the user.
The first door opens, the person enters, and then the first door has to close. After some form of authentication has been given, the second door may open. Otherwise, there is a very real chance a trespasser or attacker is going to be stuck waiting for release. In some instances, this gives security personnel enough time to alert law enforcement to an intruder.
Mantraps are an effective means of control and it’s one you see in employment with many tech-driven industries. If your company handles any sort of sensitive data, the larger players in your industry are likely employing mantraps and other similar controls to curtail potential intrusions.
Further Security Measures
It isn’t just enough to educate and install controls. You need to account for every single eventuality. While exercising the principle of least privilege is important, you have to keep in mind there are other networked devices present. VoIP phones and the like aren’t going to have the means to control access.
As such, you’ll want to use things like whitelists for the MAC addresses of every device on a given floor. It isn’t enough to restrict access through just biometric or smart card authentication, you’ll have to make sure every piece of equipment is locked down.
That said, you’ll want to have the principle of least privilege. It isn’t uncommon for janitorial staff to have their own computer stations to record work done, however, this can also act as a key point of entry.
Is Tailgating the Same as Piggybacking?
Piggybacking is a similar sort of attack to tailgating. However, there are some notable differences and distinctions to be made when looking at both attacks.
For starters, both piggybacking and tailgating are social engineering attacks. Piggybacking requires a physical presence at the intended point of attack, just as you’ll see with tailgating. It also relies on a degree of trust to be placed on the attacker.
Again, this is identical in concept to tailgating. There are certain social norms and expectations given regarding courtesy towards co-workers, contractors, and whoever else might be present. The aim for both attacks is identical in concept. Infrastructure is particularly vulnerable when considering on-site attacks, even when accounting for the principle of least privilege.
One of the biggest differences between these two attacks comes down to the point of contact. Piggybacking supposes that an attacker isn’t really making any sort of deliberate contact or conversation with anyone present. They might be disguised as a custodial worker or someone employed by any number of utilities.
Tailgating operates under similar ideas. However, the attacker might ask a worker at your facility if they can help them enter due to losing a key card. It can be something banal and relatively benign on the surface that opens the gates to further harm to your business’s network.
Is Tailgaiting a Concern in Modern Cyber Security?
Is tailgating a cyber security concern? Yes, very much so. Any attack on an organization poses a threat, but few are as invasive and potentially damaging as one started on-site. You’ll want to implement the right sort of controls and do your best to prevent damage.
The image featured at the top of this post is ©BeeBright/Shutterstock.com.