“Frank Abagnale”, does the name ring a bell? If you are a movie buff, you won’t have missed “Catch Me If You Can”. The story of this conman is one of the most popular and fascinating accounts of tailgating, among many other crimes.
Abagnale enters restricted areas where he has no authorization by simply walking into the place like he belonged.
Eventually, he was convicted of theft, auto larceny, forgery, and fraud. His shenanigans resulted in losses to many businesses and financial institutions.
In this article, we will discuss what tailgating is, how to prevent tailgating attacks, the different techniques used, and real-life examples.
Have you ever heard of the term “social engineering”? It is a popular technique used by cybercriminals to manipulate individuals into providing sensitive information or physical access.
The information is then used to gain access to a company’s portal or bank account. The intention is always for malicious purposes. Verizon’s 2021 Data Breach Investigations Report says that 85% of these breaches involved the human element, and 35% of them were social engineering incidents.
If you’re wondering “tailgating is an example of what type of attack”, well, it’s one of the many social engineering techniques available.
Also called piggybacking, in this, an attacker gains access to a restricted area without proper authorization. It is a case of a ‘physical’ attack. Tailgating is possible in many ways.
The cybercriminal can follow someone into the building after they have used their credentials to enter. Or they can pretend to be someone else and enter right after someone with access does.
One of the simplest ways to reduce instances of tailgating is to verify each individual before they are given access. Tailgating attacks are executed after a lot of planning, so organizations should be on their best game too.
Both terms denote following an authorized user into a restricted area. The only difference between these two terms is the authorized employee’s awareness of the attempt to intrude.
In a piggybacking attack, the attackers gain access by deceiving the authorized person and the victim is aware of being followed, whereas in a tailgating attempt, the authorized person may not be aware of someone tagging along behind them.
It is worth noting that these two terms are used interchangeably in multiple instances.
Businesses that have a large employee base, a high turnover rate, and those that rely on external vendors for a lot of tasks are at the risk of tailgating phishing attacks. Even universities and campuses that don’t verify the identity of every entry risk tailgating attacks.
Busy offices where employees keep hopping between one task to another are also a good place for cybercriminals to tailgate. Such places will suffer from data breaches, phishing, malware-enabled attacks, etc., that can easily result in millions of dollars of losses.
Direct tailgating attempts might not be successful in all environments. Many organizations will have biometrics-based systems, badge systems, and other types of security before entry is allowed.
The best way to prevent tailgating attacks is to stop them in their tracks by addressing the root cause itself. What’s that?
Lack of security awareness among employees and disdain for following protocols stringently.
Let us look at how organizations can prevent tailgating attacks.
Most employees are not aware of tailgating attacks because they don’t know what they look like. Define tailgate for them, tell them what it entails, and convince them that they have a huge responsibility to reduce the occurrences of such attacks.
Training programs and simulated attacks are excellent ways to create awareness about how social engineering attacks happen in the real world.
There are even dedicated platforms that send convincing phishing emails to employees to check their level of preparedness. It will keep employees aware of any suspicious activity in the workplace.
The same level of awareness should translate to physical attacks like tailgating.
When there are multiple ways to enter office buildings and different restricted areas, monitoring them can be difficult. This is where advanced video surveillance techniques use artificial intelligence and video analytics to increase the effectiveness of real-time security measures.
Such video surveillance systems assess who enters the building and compare the video footage with the facial scans of employees and contractors. Since video surveillance works in real-time, it can quickly send alerts about the presence of an intruder.
Despite the presence of smart cards to restrict entry to anyone, there are instances of tailgating attacks. It shows that physical security measures are not up to the mark.
Have a reception area that has dedicated security personnel whose job is to verify the identity of anyone who is trying to enter. This will act as an extra layer of physical access security.
Another technique is to allow entry to only one person at a time. Provide badges for all employees who have authorized access; it becomes easy to identify people visually.
While it is appreciated that many businesses focus on digital security practices, it would be unwise to neglect physical security. It can lead to tailgating attacks that can be disastrous for the organization.
Have a physical access security training program where you discuss physical security attacks and how to spot such instances. There are dedicated security awareness training programs that will help train employees.
Laser sensors are helpful in detecting more than one person walking through at a single time. If someone tries to tailgate, the security personnel will be alerted. For work environments where there is a huge influx of employees walking in and out, laser sensors are a boon.
Employing turnstiles is also an effective entrance control method as it allows only one person at a time, that too, only after the visitors present their entrance credentials.
Employees should always be told to be vigilant. If there is any suspicious behavior exhibited by someone on the office premises, ensure that they are trained to report it to the security team. While they might find it intimidating to enquire about someone else’s credentials, they can always ask the security team to do so.
Employees should be given handouts that describe the physical access security protocols that must be followed.
The only way to reduce social engineering attacks is to make the employees aware of how common they are and to take note of such instances. And while you are at it, you should also look out for an insider threat.
In the case of a digital tailgating attack, check where the message was sent from. If you feel there is something off with an email, even though it looks as if it is from a credible source, you may be right. Look for SPF, DKIM, and DMARC records in the original source of the email.
Look for other clues to see if you are experiencing a social engineering attack.
Just like email addresses, links are easy to hide too. If you are unsure where a URL is sending you, do not click on it. Also, do not download attachments sent by strangers.
You could very well be the victim of html smuggling. Email attachments that appear to be Word or Excel files are the last thing you should click on.
Ensure the entry of only authorized personnel to access your building or specific areas by installing a managed or hosted access control. Such a managed system will set different security clearances for individuals to restrict entry and track access.
The visitors who will temporarily gain access to the building for a few hours should also receive badges, but they must look different from the ones that employees are given.
It is important to distinguish between employees and visitors so that they don’t have access to all areas.
Security is not a one-person job. It is a collective effort and requires everyone to contribute. One of the smartest ways to deal with the problem of tailgating is to build a culture of security in the organization.
There should be open discussions about the kind of risks that such attacks entail and how everyone’s doing their bit will eradicate most of the issues.
Colin Greenless, a Siemens Enterprise Communications security consultant, used tailgating tactics to access multiple floors, including the data room at an FTSE-listed financial institution.
He managed to set up an office in the third-floor meeting room and even worked there for many days. We are sure that this act by Greenless would have made a lot of organizations check and curb tailgating attacks.
Here’s another popular tailgating example that happened in 2019. Yujing Zhang, a Chinese woman, was found guilty of trespassing at the then US President Donald Trump’s Mar-a-Lago club in Florida.
She was arrested carrying two Chinese passports, a computer, and four mobile phones, among other devices. “She lied to everybody to get on that property”, said Assistant US Attorney Roland Garcia.
You can start a conversation with an employee and get into the building just by walking with them.
Let us look at some of the most common tailgating attack examples used by cybercriminals.
The attacker pretends to be a delivery agent to gain access. If the security personnel are not strict, they will gain entry to a restricted area and wreak havoc.
The attacker may pretend to be an employee who misplaced their access ID. It depends on how well the security agent is trained so that no one using that pretense gets access without further verification.
Shoulder surfing is a technique used by criminals to steal personal information, including PIN codes or access numbers.
Unauthorized people can listen in on important information being uttered or observe keystrokes being entered on a device.
This method does not require any technical expertise; all that is required is attentive monitoring of the victims’ surroundings and the typing pattern.
The cyber attacker could say that they have an appointment with Kylie from Operations regarding a job. If they say it quite convincingly, the security guard might allow them access, and that’s a tragedy.
By bringing multiple items with them, potential tailgaters ask for the help of the security personnel or an employee to allow them as their hands are too full. As a gesture of courtesy, most people automatically do it.
Asking for someone’s credentials in such a scenario might be construed as rude, but an organization that is wary of social engineering attacks shouldn’t bother about such niceties.
If the security isn’t stringent, one of the easiest ways to gain access to a building is to walk behind an employee.
Holding the door open for someone else is basic courtesy, and people’s personalities don’t change in the workplace, does it? If the employees are educated about the issues that tailgating attacks cause, then there may be a different reaction.
The cybercriminal might ask to borrow a laptop or mobile device on some pretext. They can install malicious software or copy the credentials to gain access to it later.
Tailgating attacks exploit the naivety of humans to trick employees into giving access to physical buildings or digital environments where they are not allowed.
People are usually trusting and willing to help others. Tailgating attacks can compromise the data security of organizations and result in losses.
It is in the organization’s best interests to invest in awareness programs and technologies that not only help stop tailgating attacks but also provide $100,000 in breach-related insurance claims. Sounds exciting? Learn more about it.
Circa Las Vegas
Thurs. Aug 5th
Cybersecurity Reunion Pool Party at BlackHat 2021