In this blog, the topic of Tailgating comes under our information security microscope. This method of social engineering can be easily overlooked in the cyber security world with the same potentially fatal consequences of other common attacks such as phishing, spear phishing, whaling, baiting and watering holes. All involve psychological manipulation to make victims take actions that can be used against them by criminals.
1. What is Tailgating?
Continuing our theme of social engineering attacks, we come to the next mischievous member of the malicious criminal family: Tailgating also known as piggybacking.
This widely-used and popular method of social engineering attack is a physical rather than virtual cyber attack where an unauthorised person gains access to usually restricted areas of an organization or a building with a view to executing a physical or cyber crime to cause a data breach and steal confidential information, equipment as well as personal belongings. Tailgating is a typical security problem faced daily by organisations around the world.
2. Tailgating Techniques
Tailgating can begin with the kindest and most helpful of actions. An unwitting and helpful employee may want to open a door to someone carrying a large number of files, someone without a company badge or an uniformed courier or supplier without a second glance or asking for their credentials and for the reason for their visit and who they are there to see. This ‘someone’ who does not look at of place and non-threatening can in fact turn out to be someone who is not supposed to be in that place and will in fact be very threatening to the organisation and its security which has now been breached and in serious danger of an attack – either physically through robbery or in a cyber security scenario, planting fraudulent USB drives in the hope of an innocent bypasser picking it up and installing it on their computer: this is something we explored in greater detail in our recent blog about baiting.Tailgating techniques can both be accidental by carelessly leaving a door open and by force as the perpetrator may just follow an authorised employee through security or force them to do so.
An example of this can be seen in the riveting Polish cyber thriller on Netflix: The Hater. In this gripping thriller with several social media and engineering themes, the protagonist is able to gain access to a political organisation and install various data monitoring devices to steal sensitive information.
As with other methods of social engineering, criminals will wait patiently to target particular high-ranking individuals of an organisation and take their badges/lanyards away to use them in their intended tailgating attack. Scenarios such as when top executives leave their workplaces and go out to lunch at their usual, most frequented restaurant or ‘watering hole’, the criminal will have planned in advance and have picked up on certain behaviours and be there lurking in the wings to steal the required badges and access cards etc. In another form of psychological manipulation, the criminal may seek as well to befriend employees during a coffee break and over the course of a few weeks gain their trust and confidence so they can eventually gain access to the secured areas to eventually betray that very same trust and confidence.
Such a simple form of social engineering attack can make a mockery of the high-end expensive electronic, software-based entry systems and regulations of an organisation and affects all enterprises whatever their size.
3. Tailgating Psychology
Tailgating is another form of psychological manipulation as it is carried out with a view to making the victim carry out a specific action the criminal wants them in order to execute a fraudulent, malicious act that can lead to a data breach causing untold damage both financially and reputationally. Like a phishing attack including spear-phishing or whaling, it is an information security confidence trick designed to fool people with authorisation to allow those who have no authorisation to gain access to restricted areas and information.
4. Tailgating: who is most at risk?
Types of organisation most at risk are those with large numbers of employees, staff turnover and those who use many subcontractors for specific tasks and those in education such as higher education colleges and universities. Campuses are very high-risk as students rush around from lecture to lecture without thinking twice about doors being left open and anyone following them who may be unauthorised to restricted areas. This type of scenario is repeated constantly in everyday working environments where employees are always on the move going to meetings, running off fto take that urgent call and meet pressing deadlines that have to be met without fail. This in turn leads to ripe pickings for the criminal who is able to easily exploit these security failings, which in turn can lead to data breaches, and other types of phishing and ransomware attacks costing millions and causing damage to reputations which can take years to recover from if at all.
5. Information Security Awareness Techniques to Prevent Tailgating
Many organisations today are more preoccupied with defending themselves against anticipated and advanced attacks. But at the same time, they are prone to the most basic lapses in security such as Tailgating. Of course, those responsible for company security such as the CISO are quite right to spend time dealing with the most pressing, immediate cyber security issues and vulnerabilities in the attack surface that they forget the elementary basics of information security and this includes physical as well as virtual.
Techniques to mitigate against social engineering attacks including Tailgating include some very basic measures which will help and improve your cyber security awareness posture. These include:
- Logging off your computer and any other devices while you are away for any period of time from going to get a coffee or going for a meeting/ lunch break. USB sticks and SD memory cards are included in this information security tip – secure anything that you feel can be used against you, your colleagues and company to access confidential information and data. For further enhanced protection, inform and consult your security administrator for best cyber security practice and check what you are using, follow company guidelines.
- Do not assume who you see looks authorised is authorised. If anyone raises your suspicions, approach them and ask to see their credentials and who they are there to see and if they have the authorised access to be in that area. It is better to ask and take precautions rather than presume they are who you think they are. If you are afraid to ask, inform your company’s security team immediately.
- Be aware of what is going on behind you when you are entering restricted areas especially those with highly confidential, classified information. Someone such as a fake courier or IT contractor will try to sneak in when you are going through an entry system and bypass security measures. That friendly face with loads of files wanting to follow you may have a different kind of file with malware ready to infect your company’s networks and system with a potentially lethal data breach.
- Establish a comprehensive company security protocol that covers all aspects of security both physical and virtual. Then ensure that it is made a mandatory part of your organisation’s training for present employees and onboarding for future ones. This will ensure that company data will be more adequately safeguarded and protected against future cyber threats.
- Introduce and encourage cyber security awareness training to your colleagues such as Keepnet’s Awareness Educator which involves cutting-edge, tailored training for you and your colleagues. This can be used in conjunction with their anti-phishing training modules Phishing Simulator which you can funnel colleagues to so they can improve their cyber awareness with phishing simulations, and so decrease the probability of phishing and ransomware attacks successfully breaching your defences. Take a look at the Email Threat Simulator, which allows you to proactively test your cyber security posture and take necessary action before being a victim of an actual attack itself.