Security Tailgating (aka Piggybacking) Security, Resiliency & Technology (SRT) Integration Forum Editors: Cisco, Deon Chatterton Carnegie Mellon Silicon Valley, Jeannie Stamberger IntraPoint, Edward Erickson Northland Controls, Paul Thomas Northland Controls, Pierre Trapanese Tulane University, Eric Corzine Contributing Organizations and Individuals: AlliedBarton Security Services, Guy Hassfield American Red Cross, Barb Larkin American Red Cross, Joseph White BAE Systems, Jeffrey Dodson BAE Systems, Karen Duprey Carnegie Mellon Silicon Valley, Jeannie Stamberger Cisco, Deon Chatterton Genentech, Don Wilborn IntraPoint, Edward Erickson John Deere, Jeff Chisholm John Deere, Tim Nestor Johnson & Johnson, Brian DeFelice Northland Controls, Paul Thomas Northland Controls, Pierre Trapanese Tulane University, Ky Luu Tulane University, Charles McMahon UTC, Ewa Pigna About: This report is the first of the STRI forum generated from discussions at AlliedBarton headquarters in Pennsylvania. p. 1 Table of Contents Executive Summary…………………………………………………………………………………………………………………………….3 Introduction………………………………………………………………………………………………………………………………………..3 Problem Statement…………………………………………………………………………………………………………………………….4 Costs of Tailgating……………………………………………………………………………………………………………………………….4 Best Practices – Hardware Solutions…………………………………………………………………………………………………..5 Best Practices – Social Engineering…………………………………………………………………………………………………….7 Badging Compliance Social Engineering…………………………………………………………………………………7 Implementation Considerations……………………………………………………………………………………………10 Standards……………………………………………………………………………………………………………………………..10 Case Study: A solution to the hard problem……………………………………………………………………………………..11 How to sell reduction of tailgating to the executive suite?...................................................................15 Conclusions………………………………………………………………………………………………………………………………………15 p. 2 Executive Summary Common courtesy and the holy grail of corporate security “Access control, access control, access control” clash head-to-head in the common corporate security problem of tailgating. Tailgating occurs when an authorized individual permits others to follow behind without showing or registering proper authorization and gain access to a secure area. Tailgating is a function of both the attitude of the individual and the corporate culture towards adherence to security measures. The impacts and costs of tailgating affect both the business and personnel including; theft of equipment and intellectual property; workplace violence; loss of business because of perception of lax security; lax compliance with other security measures; safety; and, increased costs due to lack of knowledge of true real estate utilization This article will discuss issues and best practices in tailgating deterrence and prevention (hardware and social engineering) for a range of situations, and identify key issues that impact the efficacy of these prevention measures. Introduction Access control is the single most important component of the physical security and man guarding role in corporate security. Access control is the management of the flow of people to areas for which they are authorized. Access control measures must accommodate not only those familiar with the security culture, employees, but also others not familiar with the security culture; such as, contractors, visitors, the public, and occasionally the simply lost. Access control is a primary responsibility of company security and is illustrated by the comment of a senior director of global security which posited that if security knows with certainty that everyone present in the company’s facilities belongs there it has performed 99% of its job. The concept behind access control is that if we specifically determine in advance who is permitted access to certain areas and then control that access, we will have deterred improper activity from occurring, or in the case that improper activity does occur, we will be able to respond effectively. Good access control speeds resolution of an incident by allowing security personnel to rapidly focus on those who had access to the area, or anomalies in access to an area. Unfortunately, good access controls are very hard to achieve in an environment intended to be inviting to employees and customers, and also collaborative and productive. A corruption of access controls can take the form of tailgating, in which the second person takes advantage of the first person’s entry without necessarily the complicit involvement of the first person. Another form is piggybacking, in which the first person intentionally allows the second person to enter. This article treats them both as a corruption of access control and the term tailgating will encompass both definitions. This article will describe best practices in tailgating deterrents. The article will also describe tailgating as it relates to corporate security and real estate costs, discuss physical hardware and social engineering solutions (including best practices and failures around badging and non-badging compliance), and issues around implementing solutions. The article will finish up with a case study based on implementing physical solutions in a difficult scenario (a welcoming, aesthetically pleasing, high-throughput lobby), and lessons on how to make the ROI case for reducing tailgating to the executive suite. p. 3 Problem Statement Common courtesy dictates holding doors open for one another. In an access controlled environment, however, this behavior is called tailgating and allows entrants to circumvent ‘badging’ by not presenting authentication for entry. As soon as this occurs, access control measures such as badge systems have been circumvented. Tailgating is surprisingly common in cooperative workplaces and has been observed at rates of 40-60% of all entrants to a building. One might argue that many of those who “piggybacked in” (or “tailgated in”) have the appropriate credentials to allow them entry into the space. However, once badging systems have been circumvented, it is impossible to ascertain who is authorized and who is not. This is a very big problem for an organization and does not come without costs. Costs of Tailgating There are tangible and intangible costs to tailgating. There is value in knowing who is in sensitive areas at all times. The tangible costs of tailgating include: theft of equipment (e.g., laptops); theft of sensitive hardware (e.g., proprietary hardware, prototypes); loss of intellectual property (e.g., software code); workplace violence (e.g., entry of person committing violence at work); physical attacks to network equipment. While lack of access control is an obvious security problem with resulting tangible damages that are easily attributable, there are also intangible aspects of tailgating. The intangible aspect of such breaches can be described as “the canary in the coalmine”. Sites experiencing problems with non-compliance with basic security measures such as tailgating also tend to have other issues (e.g., management issues, bad behavior, harassment, and others). The presence of tailgating raises the question, “Are there any other undesirable behaviors that are occurring, is tailgating the only problem?” An environment can be created slowly over time in which there is a greater level of acceptance for poor management behavior, harassment, ethical short-cuts, etc. Tailgating may be a symptom of a larger problem that there is an attitude that security is not important and creates obstacles and slows employees in doing their jobs. If employees adopt this attitude and don’t comply with security measures, there is greater potential for a security breach. This tailgating behavior can even affect customer relations and the loss of business. Customers form opinions on observations and if a company is perceived as having weak security it may be judged to be deficient in other areas or not worth the risk. Another intangible cost is the loss of productivity due to an incident occurring. Loss of productivity in the event of a significant breach, such as workplace violence or sabotage, is obvious. However, small incidents such as a single laptop theft can result in significant privacy issues, proprietary information loss, and marketplace confidence issues. The resulting damage control diverts valuable resources to dealing with a problem that may have been avoided. Even smaller incidents such as the theft of a wallet or purse results in a feeling of personal insecurity and violation that becomes the subject of extensive discussion and mistrust p. 4 within a group or department, and the question of why the organization is not doing more to protect individuals. In addition to the direct costs of theft, loss of productivity and market credibility, there are opportunity costs to the organization with respect to real-estate space savings and optimization. In an environment of greater virtual operations and more fluid “globalized staff” using whatever space is available wherever they may happen to be, it is important to know who is where, when they are there, and for how long. The costs of tailgating definitely depend on the business model and product. For some organizations, the primary risk is entry of non-employees. For other organizations, there is also the potential loss of proprietary hardware, personal or intellectual property and/or risk to personal safety. While these risks are real, it is difficult to assess the potential costs of tailgating and the standard assessment tools either don’t exist or require such extensive customization that they are not useful. Best Practices - Hardware Solutions A range of solutions to tailgating are presented in Table 1, which focuses on hardware, and Table 2, which focuses on social engineering. Generally, hardware has a wide range of throughput, aesthetics, costs, and efficacy. Multiple hardware solutions can be used together to get a layered security effect. Considerations for selecting a hardware solution are discussed in greater detail in “Implementation Considerations” and the case study. Social engineering approaches in Table 2 are discussed further in the next section. p. 5 Table 1. Hardware Solutions Name Throughput Success Aesthetics Cost Aesthetically pleasing and commonly used in main lobbies and high-rise buildings. Medium to High Effective Good $15,000 per lane Very effective in combination with other measures. Compartmentalized entry door. The best only allows one person per compartment. Allows people to hold a door open for others, but requires them to swipe a badge. Low to Medium Very Effective Average High Very Effective Good $15,000 $45,000 $1,000 Essentially a revolving door with a cage with teethed bars. A badge is swiped over a card reader for entry. Low Very Effective Low $10,000 Medium Least Effective Average $3,500 $5,500 Very effective in public buildings. Very effective in combination with card reader, locks, video, and social engineering Generally used in industrial and outside locations. Can be effective in combination with other measures, such as social engineering. Uses video analytics to determine entry access by individuals. High Low 40-85%; 15% Failure Rate High $1,500 Retinal or Iris Scan Device that scans retina for entry. Low Very Effective High $5,000 Man Traps Allows only one person at a time into a vestibule. Half or full height doors (e.g., closures with 6’ high smoked doors) allows 1 person at a time, scissoring rapidly shut after a person enters. Low Very Effective Alarm Rate Average Low $15,000 $25,000 $15,000 per lane Electronic Turnstiles Revolving Doors Photo Beam Detection People Eater Card Reader with Electrified Hardware Intelligent Video Scissor Doors Description Medium Average Experiences When working very well still has 15% failure rate, and should be used in combination with other measures. Very effective in combination with other measures. Commonly used in high security areas. Used in high security areas and data centers Alarm is triggered if someone is dragging something (e.g., suitcase); the sensitivity is usually too high and requires tuning. p. 6 Best Practices - Social Engineering Tailgating is primarily a behavioral problem, and physical security hardware is not the only method to influence or stop the behavior. There are also ‘soft-power’ options such as social engineering, where non-physical security incentives can successfully alter behavior and increase compliance. Below follows a discussion over compliance with badge wearing at all times and social engineering options to increase badge usage. Badging Compliance Social Engineering In order to influence greater badge compliance it is necessary to understand the reasons that influence an individual’s reason not to wear a badge, such as the following: Cultural backlash to badging can occur; for example, the security measures may generate the perception that big brother is watching. The badge as fashion statement can also create a problem in getting people to wear badges above the waist. When badges are not worn at all times this can compromise security efforts. There are examples of individuals using their badge to get into a building, but then storing the badge in a desk, where it is subsequently stolen and used to steal equipment from secure areas. There can also be confusion created when employees with different levels of security clearances occupy the same geographic area in a building; without badges worn within the facility it is difficult to maintain security. A company must ensure compliance by clearly documenting its policies and procedures on badge wearing policy. Employees will then be aware of what is expected and management is supported when they are required to take action against non-compliance. A documented policy should include that all employees must wear badges at all times, report stolen badges, and have temporary badges issued in the event of missing or stolen badges. To influence badge wearing behavior, success has been had by requiring multiple uses of the badges; hourly workers need the badges to clock in and out, to attend a class, to obtain a meal or work gloves in a factory, and to gain printer access in a corporate setting. In some organizations the use of the badge may need to be negotiated with a union; due to union concerns about using badges to clock in on assembly lines because of concern the data will be used to monitor individual performance. Another important consideration in changing behavior is the physical placement of badge reading equipment. Many times the readers are placed on the wall on the hinge side of the door. While that works fine for the first person that reads their badge, while the door is open, it becomes very difficult for subsequent people to read their badge even if they don’t want to piggyback. Placing the reader in a location where it is easily accessible no matter the position of the door can make it easier to change social behavior. Another example of reader placement is one adopted by several Silicon Valley companies. The main entrance reader is placed on a pedestal a few feet in front of the door. Casual p. 7 observations indicated more individuals ensured their badges were read at the pedestal, even when arriving at the reader in groups. The following table (Table 2) lists some methods to promote the badge wearing behavior within an organization. p. 8 Table 2. Social Engineering Solutions Name Description Success Cost Require employees to show badges or take disciplinary action, including termination. This may also include upper management. Long Term High Awareness Campaigns Publicity campaigns to stress the importance of badging. Short Term Low Often have positive short term benefits but need to be repeated to maintain effectiveness. Ask for Badges Ask employees to see badge. Short Term Very Low When asked, responses ranged from polite to indignant. Many employees do not feel comfortable asking for badges. Positive Reinforcement/Recognition Employees are rewarded when they spot attempts to piggyback. Medium Term Low to Medium Active Technological Barrier/Alert (i.e. Audible Announcement) Employees are inconvenienced or embarrassed by the use of strobes or horns to deter tailgating. Long Term High Mandatory Compliance Experiences A highly valued employee was fired due to refusal to show badge. Upper management must set example. While it can have a positive effect on the company’s image, it doesn’t scale well. Costly, but effective for deterrence and behavioral change. Difficult for buildings with multiple entry points. p. 9 Implementation Considerations The common experience of SRT Forum members is that the most effective tailgating deterrent is singleperson revolving doors, which physically restrict access to a single user at a time upon presentation of a valid credential. However, the deployment of single-person revolving doors at all corporate access points is untenable; issues of culture, aesthetics, accountability, and climate affect the solution that can be implemented. Single-person revolving doors are highly restrictive in throughput and would not be appropriate in almost all main lobby environments. They are expensive to install and maintain at exterior peripheral doors. They are also not conducive to creating an inviting culture of a collaborative work environment, and certainly not an aesthetically pleasing one. The hardest and most difficult two problems to solve is a corporate environment that places high value on an aesthetic welcoming environment and has high throughput, and one in which the culture resists physical security measures. There are solutions available that are more open, have greater throughput, and are more aesthetically pleasing. Such solutions include several layers of access controls prior to reaching a restricted space (concentric circles approach), high-speed electronic turnstiles (with and without physical barriers), photo-beam detectors, intelligent video, biometrics, guard presence / identity validation during high traffic hours, or a combination of such measures. See Table 1 for a range of hardware solutions to tailgating rated for success, aesthetics, costs, throughput, and experiences with the equipment. See below for a discussion of factors influencing choice of physical security measures. Buildings and Building Function – Businesses with periods of high flow through, such as factories, require solutions that don’t delay traffic flow; like a mantrap would. The implementation of physical security measures are further complicated with the repurposing of real estate, and leased buildings; owner approval is required and changes will need to be negotiated. Many commercial buildings are like a sieve, and many thefts occur in commercial buildings. Many companies also have large campuses with many different buildings, some with better compliance than others. There are also campuses which house multiple companies that act independently but report to the same parent company. Laws - Privacy issues, and different data retention laws by country (e.g., Italian privacy law prohibits the use of cameras on warehouse doors). Many try to have a standard, but one which is open to country laws. Social political issues can be different depending on country of origin; the US thinks the Middle East is high risk, but locals use a different risk filter. This difference of perspective also applies to the regulatory environment (e.g., working with animals). Accountability - A general security plan is relatively easy to implement when there is a single site with a single site executive. Difficulties arise with a campus where there is no single site director responsible, or there is a campus housing different companies with boards of directors that all report to a single parent company. p. 10 Climate- It is also necessary to work within your climate. A very windy environment can require revolving doors to keep them shut because it is windy and others don’t stay closed. This allows them culturally to retrofit buildings with more secure revolving doors. Aesthetics – See the case study for a layered solution in an aesthetically pleasing lobby of a major firm using audible alarms with secondary full stop barriers. Emergency Evacuation - A well-executed access control system can provide useful information in accounting for employees in an emergency evacuation (muster situation). Standards All of the considerations described above lead us to the question of company security standards do they exist? How are they implemented? These standards may vary; standards may be lower than a landlord’s and higher than standards in other parts of the world. Generally global standards are sometimes too low. When acquiring companies around the world, often the biggest problem is not knowing what their security is. Many times sites need to be assessed on a case-by-case basis in a fairly informal manner coordinating with the site executive, if there is one. The local tenant has a high impact on adopted standards; some sites have higher security, simply because the site executive is risk adverse. A company working on classified information also has to comply with external security standards; however, sometimes these standards are inadequate. Another consideration is collaborative projects in which a customer may require different levels of security. Case Study: A solution to the hard problem A Silicon Valley company known for innovation, flexibility and creativity has a culture intended to foster openness and collaboration. The implementation of strict anti-tailgating measures is a concern. There is a fear such measures are not only physically ugly and restrictive, but also create an atmosphere of mistrust as “big brother” is brought in to control and monitor all of your actions. Unfortunately, the company is a target for retribution from disenfranchised users who have broken the rules. A small explosive was detonated at one of its campuses. In addition, high levels of electronic commercial activity create requirements around banking and privacy regulations. Greater security is required to provide compliance with banking and privacy regulations, safety for employees, security for customers and employees with regards to their transactions, identity and privacy, and to reassure market credibility in the continuity of services. The company has over 100 locations. However, a primary campus of 6 buildings housing over 1,000 employees was chosen to deploy strict anti-tailgating measures. The measures selected were to consider company culture, aesthetics, convenience, throughput, cost, and robustness. With as many as 6 p. 11 lobbies, and another 12 perimeter points of “convenience” access, such considerations necessitated a very mixed approach to the problem. There was not much of an appetite for a bunch of “ugly” security devices at the perimeter doors. And, as one can imagine, placing a bunch of ugly security devices in a showcase main lobby was certainly not an option. Thus, the problem was broken into two primary components, lobbies and perimeter access points; both of which required solutions appropriate to the physical space as well as to the corporate intentions. For the 3-story glass main lobby, sufficient measures were already in place. Nonetheless, a combination of existing measures was reinforced with a revolving door for after-hours use: I. Main Lobby - business hours: Two layers of physical security technology are reinforced with officer oversight and intervention. Free access to the main lobby area. Lobby desk staffed with security officers trained in greeting guests and checking them in with a visitor badge using an electronic visitor management system. All others with a valid badge would pass through electronic turnstiles (no physical barriers for high through-put rates). During “rush hours”, lobby staff would be reinforced with security officers monitoring the free flow of individuals through the turnstiles. o Officers are trained to politely challenge anyone setting off the turnstile alarm, and request individual to exit and re-enter. o “Social engineering” occurs after a number of people are asked to re-enter or witness someone being asked to do so. Thereafter, “alarms” become the exception easily handled by officers. After dispersing from lobby area, an additional layer of card access is required to enter specific employee work areas. Lobby desk and Security Operations Center (SOC) are provided with a button to disable card readers at doors leading to interior areas in case of an alarm or an event. II. Main Lobby - after hours: Third layer of physical security technology is activated, and reinforced with SOC oversight and roaming patrol intervention. Perimeter lobby doors are electronically locked. Aesthetically pleasing (and expensive) physical revolving glass doors are activated. Valid ID badge is required, and the turnstile permits only one person per authenticated badge through. It automatically reverses direction if it senses a second person in the “leaf”. Once through the revolving door, an individual must also pass through the turnstiles and the interior doors. Note the turnstiles provide no physical deterrent, but should a person pass through without a valid badge, an alarm is generated with automated video call up at the SOC. Note: for the Americans with Disabilities Act (ADA), one of the main entrance doors is equipped with automatic openers and a card reader. Only disabled persons’ badges have been provided with credentials to activate this door after hours. Whenever such a badge is presented after p. 12 hours, the SOC is automatically alerted so that officers may provide assistance if needed, and to ensure tailgating is not occurring. Perimeter doors – 24/7: Perimeter doors are much more difficult to manage and stop tailgating. Even in a corporate culture where all employees freely wear and display their ID Badges, common courtesy often dictates that one opens and holds the door open for their colleagues, and visitors. This courtesy is so in ingrained in us, that it is very difficult to overcome it in the moment, and to rudely close the door on someone. A description of an iterative process to address tailgating at perimeter doors is provided here, along with the solution selected in this case: The first consideration usually seems to be to use the perimeter doors for emergency exit only, and to not give the general population access to those doors; allowing only security personnel or emergency teams access to perimeter doors. This would force all staff to enter the building through the lobby entrances. o This was rejected as being inconvenient to the staff, creating a bottle neck at lobbies, and resulting in wasted time. Revolving doors were rejected as being too slow for the needed throughput, and expensive to install. Mantraps. Even if one were to overcome code issues, “Mantraps” were rejected as they would be operationally unworkable. Mantraps generally allow one person to be in the vestibule at a time, with one door locking behind prior to the door unlocking in front. This is further complicated by two-way traffic in a high-volume environment. Prevent access on a detected exception, requires all entrants to a perimeter door to present their badge, but allows for the door to remain open during the reads. In other words, the “system” would not “reset” each time the door closed to authorize the next entrant, but it would need to “track” that only one person per valid read were permitted in regardless of whether the perimeter door closed fully or was even politely held open for the next authorized person. This would require, an interior perimeter, which is already present. o Everyone would need to present their badge. o All badge “reads” would be tracked. o Each person passing through the perimeter must have had a valid read. o If an invalid read is registered, or more than one person per valid read is detected, access through the interior perimeter door would be disabled for all users in the vestibule. o Social engineering would be employed to reinforce proper usage of the system. Devices employed: Inconvenience of having interior door disabled, and needing to exit perimeter door and start again. Strobe light indicating to all users someone has not entered properly. Audible alarm to mildly annoy users during the security breach. p. 13 o o Video image transmitted to manager upon multiple breaches by the same user. Option 1 Pilot Test using Video Analytics (“Intelligent Video”): As cameras are already viewing all entry points, a pilot test employing analytics is attempted. The concept would be to integrate valid badge reads with the video scene. If the system reads one badge, but the camera sees two people come through the door, the system would automatically disable the interior perimeter door. Such exceptions would include: More than one person per valid read. No badge read, but someone is detected entering when someone is exiting the door. Invalid Entry upon Exit. Camera / Video Issues to ensure high success rate. Needed to switch to a low resolution camera in order to process more information faster to perform the analytics in a timely manner. Imagine 10 people with valid badge reads walking quickly through the door. Need to switch flooring cover to create greater contrast for the camera to better distinguish between persons entering and exiting. Need to add glazing to window to prevent glare, to enable camera to perform better. The pilot is conducted with an officer present to explain / guide users. Analytics success rate after changing technical and environmental conditions (cameras, carpets, and glazing) went from 65% to 85%. Unfortunately, 85% success is a 15% failure rate. With a thousand people moving through the perimeters in an hour’s time in the morning, this translates to 150 people being “locked” up per day. Unacceptable. Option 2 Pilot Test using photo beam detectors. Photo beam detectors were suggested prior to analytics, however, a desire (by the integrator and not the client in this case…go figure) to test and prepare for the adoption of the latest technologies (analytics), argued for testing analytics first. Upon an insufficient success rate in analytics, photo beams were attempted. Older generation photo beam detectors were neither sufficiently sophisticated to accurately delineate between people entering nor able to easily integrate with the access control system. However, improvements in detection and programming of photo beam detectors enable the Option 1 scenario of one valid read, one person detected to work with close to 100% success rate. The system was tested and found highly successful in detecting tailgating as well as entry upon exit. Furthermore, with officers standing by at initial deployment combined with the nuisance of a disabled reader, local audible and strobe light, users adopted the p. 14 system quickly and “false alarms” as well as inconvenience to users dropped to negligible amounts. An online training video was later added for new hire orientation. How to sell reduction of tailgating to the executive suite? Best practices for selling the reduction of tailgating to the executive suite should include an explanation of the diverse set of savings to be gained. In particular, when selling tailgating reduction to a CFO, explain that eliminating tailgating presents a number of opportunities to reduce otherwise inflexible facility costs. In particular, the ability to identify peak facilities by monitoring building occupancy density over time may lead to reduced facilities or real estate costs (e.g., lower air conditioning costs, reduce office space leased when lower density is documented). Reducing tailgating also is a form of risk mitigation and lowers overall company exposure. Conclusions Tailgating is a common corporate security problem with high potential tangible and intangible costs. Solutions for deterring/eliminating tailgating include hardware and social engineering approaches, which differ in cost, throughput, aesthetics, and other factors. Badge-wearing compliance is a particularly challenging issue, and many lessons are provided for increasing compliance. Implementation of solutions must be tailored to the aesthetic and cultural needs of a given scenario; the most challenging being providing access control in a welcoming, high-throughput, aesthetically pleasing lobby. The case study illustrates a real-world solution to this challenging scenario, which ultimately uses a combination of solutions. p. 15