Itβs human nature to want to hold the door open for the person behind you.
Weβre taught that doing so is courteous and considerate. But what if those traits were being used against us by a malicious actor to gain access to an off-limits area?
Tailgating is a low-tech way to gain access to a restricted area. While it may appear easy to prevent in theory, actually doing so may prove more difficult than expected.
Letβs dive into this social engineering attack by learning about what it is, the psychology behind it that makes it so effective, and of course, how to prevent tailgating attacks.
By the end of this article, you may think twice the next time someone asks you to hold the door.
What Is Tailgating?
As cyber security professionals tasked with protecting digital information, itβs easy to think that our fight is exclusively taking place online.
Tailgaiting attacks are a very real reminder that the fight to protect digital information is a fight that takes place on various battlefields.
A tailgating attack is when someone physically enters an area they are not authorized to enter. The most common way we see this play out is when entering a building behind someone who is authorized to enter. In this way, the malicious actor piggybacks off the access the person in front of them has.
However, this isnβt the only way tailgating works. Attackers may also impersonate employees, pretend to have forgotten access, use social pressure, and other psychological tactics to gain entry to an area they arenβt authorized to access.
The motives for a tailgating attack may vary, but what is certain is that the attacker ultimately wants to gain access to a restricted area so they can cause harm. That may come in the form of accessing sensitive information, destroying machines, or causing general disruption.
Risks of Tailgating Attacks
In the same way you donβt want an attacker having gained unauthorized access to your network, you donβt want them gaining access to your physical building either.
If an attacker is willing to put their physical body at risk to achieve their goal you can assume they have the technical expertise to harm your company. Once inside your building they can steal crucial information, encrypt your systems, install malicious software on your computer, or redirect traffic with the use of a Wi-Fi Pineapple.
However, attackers donβt even need to have high-tech solutions to do damage. They can simply walk into a building, physically steal machines or valuable documents, and walk out - no technical skills required.
Tailgating attacks have a high potential for destruction. This is because most of the physical security of a building takes place at the perimeter. Once an attacker gets past the initial defense of cameras, security officers, or the key card turnstiles, there is little chance their identity will be compromised at a later time.
Why Tailgating Works
Tailgating works by preying on human psychology.
Attackers that use tailgating to gain access understand which psychological buttons to press to get what they want.
Letβs break down the most common social engineering techniques these smooth operators use when tailgating.
Impersonation
Itβs difficult to deny someone access to a building when theyβre impersonating someone who does or should have access.
If the EMT arrives saying they have an emergency and need access immediately to help a patient in need, who are you to ask questions? You feel obligated to let this person in as quickly as possible.
Or maybe itβs someone who is dressed like an employee. Maybe theyβre wearing company attire, have a badge, or simply look like they belong.
Or maybe itβs just someone with a ladder who claims to have been called to fix one issue or another.
Sympathy
Humans are brilliantly complex.
We can use critical thinking to solve intricate problems, use thousands of noise variations to communicate, and have an unparalleled ability to empathize and show compassion for others.
But what makes us unique can also be turned against us.
Attacks know that if you see a pregnant woman clearly struggling to walk, youβre going to do everything in your power to assist her. That means youβll open doors, expedite her trip by bypassing security, and make considerations that you wouldnβt for someone else.
Pregnant women arenβt the only ones that receive this treatment.
Weβre inclined to help anyone who is visibly struggling. That includes people who are:
- Carrying heavy objects
- Handicapped
- Using crutches
- Crying or emotional
Itβs difficult even for those trained in security to question someoneβs identity or motives when they are visibly struggling. From a young age we are taught to help others during their time of need. And even if weβre not willing to console a crying person, we figure that the least we can do is hold the door open for them.
Timing
Criminals donβt need to concoct some crazy scheme to piggyback off the personβs access in front of them.
Sometimes, itβs as easy as walking into a building during a security change or slipping past security when their head is turned.
Or maybe they simply wait until a large group of people are going to the same place at the same time, then integrate into this group.
Good timing might be the only key an attacker needs to penetrate physical security.
Distraction
Itβs difficult to challenge someone once they have built up a rapport.
Maybe youβre heading to work only to be befriended by someone who claims to be a new employee. They ask you questions about your work, the building layout, and share how excited they are to start.
When you two get to the front door you are required to use your keycard to access the building. Company policy states that you arenβt allowed to hold the door open for someone and that everyone entering the building must use their own unique keycard to gain access. But youβre too busy chatting up your new friend to adhere to the rules. That or, maybe you think it would be too awkward to damage this fledgling relationship by asking them to use their own keycard to access the building.
Or perhaps someone tailing you claims that theyβre late for a meeting and that they left their keycard at the restaurant they just ate at. You, being the good person you are, decides to let them in.
While you may congratulate yourself for your good deed, in reality, you have just been duped.
Tailgating is an extremely effective tactic because it turns our most compassionate tendencies against us. Attackers know humans want to be helpful under the right circumstances. They have studied their targets, crafted careful plans, and know how to execute them.
To defend against this social engineering attack, youβll have to equip yourself with the right controls and knowledge.
Tailgating Prevention
There is no perfect way to prevent tailgating.
When it comes to preventing intruders, itβs best to use a defense-in-depth strategy that denies access to undesirables without slowing down access for employees.
How to prevent tailgating attacks can best be done by employing a mix of security controls.
Physical Controls
Physical controls are the first line of defense against attackers.
Some common physical controls include:
But physical controls arenβt alone enough to stop attackers.
Technical Controls
Technical controls are when hardware and software are employed to shore up security.
Physical and technical controls can work in tandem to create a safer workplace.
Technical controls that can be used to prevent tailgating include:
- RFID badges
- Biometrics
- Security codes
Internal Security
Quite often, we will see companies with a robust physical perimeter. They will use a combination of physical and technical controls to prevent access to those without authorization.
This means once an attacker has cracked that first line of security they are free to move around the building as they please. The best way how to prevent tailgating attacks means implementing additional layers of security.
This can be done by:
- Requiring a keycard to access different floors
- Locking doors
- Creating a comprehensive monitoring system
Security Awareness Training
The first line of defense is you.
Even if you donβt work in cyber security or are a security guard, itβs often you who is making the mistake of letting an attacker into the building.
Attackers tailgate off of everyday employees.
Perhaps the best way to prevent such an attack is to teach everyday employees what they can do to prevent both physical and cyber-attacks. Even everyday employees know not to click on a suspicious email, but when it comes to letting an unauthorized person into the building, many are all too willing to let them in.
Security awareness training would address such an attack and provide all employees with tactics to prevent these. It would also clearly indicate security protocols to carry out.
One of these protocols might be that no employee is allowed to key someone else into the building. Refusing to do so could create a conflict, so a script may be provided to de-escalate the situation thus making it more likely that employees adhere to company policy.
Surveillance Monitoring
A robust cyber security posture requires organizations to implement log monitoring technology such as a SIEM. The desire to monitor what is happening within a company should extend to physical monitoring as well.
Information must be collected regarding who is currently in the building as well as creating a comprehensive surveillance network that is constantly being monitored.
CCTV cameras can be used to monitor the goings on within a building. Security guards must be trained to use the cameras and respond to suspicious events.
No single approach can put an end to tailgating. Even the best strategy will have vulnerabilities. Consolidate security by using a multi-step approach.
Conclusion
Tailgating is a social engineering attack where an attacker attempts to gain access to a physical location they arenβt authorized to access.
A successful attack may result in a companyβs sensitive information being compromised. Attackers may choose to steal, alter, or make information and machines inaccessible.
To prevent such an attack, companies can use a combination of physical, technical, and administrative controls. These controls can be paired with internal security as well as security awareness programs to harden a companyβs security posture.