Skip to content

Page153

Tailgating/Piggybacking

Tailgating (also known as piggybacking) occurs when an unauthorized person follows an authorized person into a building after the authorized person unlocks and opens the door. Policy should forbid employees from allowing tailgating and security awareness efforts should describe this risk.

Attackers attempting to tailgate often combine social engineering techniques, such as carrying large boxes, increasing the chances an authorized user will “help out” by holding the door open.

Learn by Example

A Successful Tailgating Attack

Johnny Long describes a successful tailgating attack during a physical penetration test in his book No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing (ISBN: 978-1-59749-215-7, Syngress) [49]. The target site had multiple defense-in-depth controls, including magnetic swipe cards, and armed guards posted internally as well as on roving patrols outside. His goal: gain access to a restricted internal area.

Johnny created a telephone company badge with an inkjet printer, carried a toolbox with telephone logos, and dressed the part in work boots, jeans, and a T-shirt. He saw an area where smokers congregated near a side entrance. Approaching them directly from the outside would have drawn unnecessary attention, so he waited for all smokers to leave, and he quickly assumed the position outside the door, cigarette in hand. As other smokers came outside to smoke, he engaged in small talk, and referenced his (fictional) job onsite.

As the smokers finished their break, one authenticated and opened the side door. Johnny held it open as the workers entered, and they thanked him for his politeness. Johnny followed them right in, no questions asked.

Mantraps and Turnstiles

A mantrap is a preventive physical control with two doors. The first door must close and lock before the second door may be opened. Each door typically requires a separate form of authentication to open; a common combination is PIN (Personal Identification Number) and biometrics. The intruder is trapped between the doors after entering the mantrap.

Turnstiles are designed to prevent tailgating by enforcing a “one person per authentication” rule, just as they do in subway systems. Secure data centers often use floor-to-ceiling turnstiles with interlocking blades to prevent an attacker from going over or under the turnstile. Secure revolving doors perform the same function.

Both mantraps and turnstiles must be designed to allow safe egress in case of emergency. No system should require authentication for egress during emergencies.