Physical Penetration Test Examples: Tailgaiting
The first, and by far the most common, way to break into a building is through tailgating. Tailgating can take on many different forms, however, in it’s most basic form it involves having an authorized user open the door for an unauthorized user to enter. You may be thinking “My employees wouldn’t just blindly open a door for someone they don’t know.” Well, you would be surprised, because there are very few cases where tailgating has not worked. Mostly because it is usually more sophisticated than just standing outside asking for someone to open the door. Here are a few physical penetration test examples that involve tailgating that may give you some insight into how it is possible.
After scouting out for awhile, the attack team will find out what door employees use most often, what’s their typical attire, and whether they are holding the door for other employees walking in. Then the attack team will make their move. Dressed up like an average employee, carrying a box in one hand and pretending to be on the phone in the other, the attack team will make their way to the target door at a high-traffic time, such as lunch. Then, when an employee is leaving, the attacker will either walk right-in or ask them to hold the door for them, all while pretending to be on the phone. This tactic has been used on multiple engagements, and very rarely results in questions or suspicion.
Another form of tailgating can be conducted without the employee ever knowing they opened the door for the attacker. As part of their recon, the attack team will time the doors in the building, measuring how long it takes them to swing closed. If that time is long enough, they can hide in a concealed location, listen for the door to open, and grab the door before it closes.
The third way to tailgate is to focus on vendors. A common way in is to wait for the cleaning crew to come by in the evening. Do they prop the door open? Will they let someone in if asked? After-hours attempts are often overlooked by organizational security teams and can lead to full access to the facility unchallenged.
How to Protect Against Tailgating
The best way to protect against tailgating is to train your employees to prevent someone from tailgating them, including making sure the door closes behind them. Equally as important is to encourage employees to challenge anyone who is not wearing a proper employee badge. Make sure your employee badges are easily recognizable and that all employees wear them visibly at all times. Another way to prevent tailgating for smaller corporations is to require all employees to use the main entrance and have a receptionist guard the workspace. Finally, use monitored video surveillance if you’ve got the resources as another line of defense.