.png)
Access control aims to achieve one goal – to ensure the protection and safety of the people, data, assets and operations located within a facility.
Access control is a vital element of security. It is a system or procedure that confirms an individual’s identity and determines who is allowed to access data, resources and property, and in what circumstances. Used properly, access control can minimize risk, prevent vandalism and protect people and assets.
TYPES OF ACCESS CONTROL
There are two main types of access control: physical and logical.
Physical access control monitors the entrance into, movement within, and departure from facilities to ensure that only authorized people, vehicles, and materials are allowed to enter, move about in, and leave protected areas. No two facilities are the same when it comes to physical access control. It is achieved using security guards, access control points, keycard or badge scanners, turnstiles and pedestrian gates, perimeter barriers and package monitoring.
Logical access control protects digital spaces to verify users’ identity and access. It relies heavily on techniques such as authentication and authorization, which allow organizations to verify that users are who they say they are (through a password, PIN, biometric, etc.) and that they are approved to access what they are trying to. Logical access control prevents malicious activities such as identity theft, financial fraud, theft of data and systems attacks.
IMPLEMENTING ACCESS CONTROL
Access control should be a top consideration when forming or modifying a security plan. The first step is to determine your goals. What issues have you experienced? What concerns need to be resolved? Access control systems are complex, require constant monitoring, and can be challenging to manage without support.
The presence of security guards and keycard access are the most effective forms of access control. Criminals naturally avoid areas where the chances of being caught are high. Well-defined and limited entry points can help as you track the flow of visitors and approved personnel. It also helps visitors easily navigate your property and makes it difficult for unwanted guests to remain unnoticed. If possible, install security cameras to maintain visibility at all times. Perimeter barriers, intrusion-detection devices, and protective lighting are supplemental means to deter unwanted visitors. These provide a great start but alone can leave vulnerabilities.
CENTROL TECHNOLOGY CENTER
At Walden Security, we combine technology and traditional offerings to ensure site coverage, boost cost savings, and ensure operational efficiency for our clients. Technology is not a single service—it’s woven into everything we do to support access control.
We offer 24/7 remote monitoring by trained security personnel in our Central Technology Center (CTC), located in Walden Security’s corporate headquarters in Chattanooga, TN. Our trained security personnel handle entry/exit points, respond to incident and intrusion alerts, patrol target areas with remote guard tours, monitor loading docks and deliveries, and dispatch emergency assistance when appropriate.
In one incident, a CTC operator noticed an individual entering the woods near a remote location. The operator notified the site immediately, who checked for the individual. At that time, the sheriff arrived and requested details about the individual, as the suspect had stolen and wrecked a vehicle. The sheriff proceeded to search for the suspect with their K9. A potentially harmful situation was avoided through the CTC’s monitoring of the remote area near the site.
Learn more about our CTC.
WAYS CRIMINALS BYPASS ACCESS CONTROL
As criminals become more adept and creative in how they bypass access control security, it’s important for companies and employees to stay vigilant and aware of common techniques used to bypass access control. One such technique is elicitation, where skilled elicitors engage in normal conversation to obtain valuable information needed to bypass access control security measures.
WHAT IS ELICITATION
Elicitation is a structured method of communication used to collect information discreetly without raising suspicion. A skilled collector conducts elicitation by engaging in normal professional or social conversation in such a way that the person may never realize they were a target.
At first glance, the conversation (which can be done in person, over the phone or in writing) will appear non-threatening and even simple. Elicitation attempts involve creative, extensive planning and can occur anywhere. They are effective because skilled elicitors use our natural tendencies and predispositions against us. This can include a desire to be polite and helpful, a desire to appear well-informed, a tendency to gossip and/or correct others, and a tendency to believe others are honest and answer truthfully.
ELICITATION EXAMPLES
The FBI outlines some common examples of elicitation attempts:
- Assumed Knowledge: An elicitor pretends to have knowledge or associations in common. “According to the computer guys I used to work with…”
- Oblique Reference or Analogies: An elicitor discusses one topic with hopes it may provide insight into a different topic. A question about the catering of a work party may be an attempt to understand the access outside vendors have to a facility.
- Deliberate False Statements: An elicitor says something wrong in the hopes they will be corrected. “Everybody knows that process won’t work—it’s just a dream project…”
- Quid Pro Quo: An elicitor volunteers information in hopes that the person will reciprocate. “Our company’s sensors are only accurate 80% of the time. Are yours any better?”
DEFLECTING ELICITATION
The most effective way to deflect elicitation is to know what information should be shared and to always be suspicious of people who seek such information. Never reveal information that is personal about you, your family or your colleagues. You can politely discourage and lead the conversation yourself by employing the following tactics:
- Refer the elicitor to public sources.
- Deflect a question with one of your own (“Why do you ask that?”).
- Simply state that you do not know.
- Give a vague and general answer.
- Casually request to take a photo with them.
WHY ELICITATION MATTERS
Successful elicitation attempts require patience and persistence. You may think the information you provide is not valuable on its own, but you may not see the entire picture. The elicitor may be collecting small pieces of information over an extended period of time. The aggregate collection of the details collected can give the elicitor the information needed to bypass access control.
Because elicitation attempts are easy to overlook, it is recommended to report any suspicious conversations with relevant security personnel. Think of the saying, “Better Safe than Sorry.” The risk of not sharing a potential data breach can be devastating.
TAILGATING AND PIGGYBACKING
Elicitation is most commonly used to breach digital barriers via acquiring sensitive information. Physical breaches of access control can be just as detrimental, if not more detrimental. Two such methods of bypassing physical access control are tailgating and piggybacking attacks.
Tailgating and piggybacking attacks occur when an unauthorized individual gains access to a restricted area by sneaking in, requesting assistance or pretending they belong. They are very similar with one distinct difference – consent.
Tailgating is when an unauthorized individual gains access to a restricted area by sneaking in without the knowledge of an authorized individual. For example, if an employee swipes in with their badge at a security turnstile and an unauthorized individual sneaks in behind before the barrier closes. They enter without credentials and without being noticed. Similar to a car tailgating another vehicle on the road, the individual being tailgated has no control or active participation in the scenario.
Piggybacking is the same as tailgating, except that the authorized person is aware of the unauthorized individual gaining access and, therefore, providing consent. It’s important to note, though, that piggybacking does not imply the authorized person is complicit in the criminal intent of the unauthorized person. Many piggybacking attempts feed on our natural human tendencies to not appear rude and to believe others are honest. Such tendencies were exploited with elicitation attempts, as well.
For example, piggybacking can occur when someone, with their hands full and appearing to struggle, asks for help opening the door. Or when a door is opened for a delivery driver or courier who is seemingly only doing their job. A very simple and effective piggybacking attack occurs when someone claims they lost or left their ID card at home and are “late for a meeting.”
Piggybacking can also occur digitally. When a computer is not properly locked, an unauthorized individual can “piggyback” on an authorized user’s session.
WHO ARE MOST SUSCEPTIBLE?
Each company, building, and facility requires different access control security protocols to be successful in deterring breaches. In the same way, each will face tailgating and piggybacking attacks at different rates and in different ways.
Typically, tailgating and piggybacking attacks target mid-sized organizations. A large enough workforce is needed to help the unauthorized individuals blend in. Most employees know each other at smaller organizations, and larger organizations may have more resources to deter the attacks, such as smart badges, biometric scanners, fully staffed reception areas, and dedicated security personnel at each entrance.
STEPS TO PREVENT
One of the most effective ways to prevent tailgating and piggybacking is to train employees. Each employee should know the proper steps to take if they encounter someone attempting to gain access to a restricted area. Where should they take the individual? Does the individual need to sign in at reception or with security?
Contact us today to learn how we can work together to prevent access control bypasses.
Sources: Walden Security Training Academy, McAfee, Kelser, Smarter Security, Microfot, TechTarget, Fortinet, Federal Bureau of Investigation, Defense Counterintelligence and Security Agency