14
bypass). Most employees walk to the coffee/tea station more times a day than to a network
printer.
•
It provides the ability to audit access to those devices.
•
It provides the ability to control access to those devices.
•
It provides a constant reminder to employees about document security.
•
Most importantly, it solves the actual problem.
If you value your printed documents and there are unauthorized individuals that can easily access
your printers consider treating your network printers/MFPs like you treat your internal web servers or
your LAN switches, not like you treat your coffee stations.
People and Technology: An Analysis for Part 2
Physical access security personnel have often been cut way back in our cost-cutting business climate
that we operate in. In particular, the individuals that monitor incoming traffic to a business, monitor
the doors in which entry can be obtained, and patrol the parking lots are seemingly on the decline.
With access controls being tied into employee identification badges, a new motto is being preached:
“Security is every employee’s responsibility.” These two things have combined to justify the reduction
in physical access security personnel. In our imaginary unethical hacker’s second confession, he uses
physical access to a tremendous advantage and completely goes undetected by employees. If
everyone is responsible, how did our unethical hacker succeed?
•
It is a common mistake to think that employees at a site of more than one building actually
know everyone. Many employees only know their team members or former team members
really well. Members of other teams on other floors of a building or in different floors of the
same building don’t really know each other well. In other words, it is okay to be
unrecognized.
•
Halloween and Christmas tend to be times that businesses in the United States have a lot of
festive things going on at work. During these times, employees tend to be more helpful and
friendlier. Halloween even offers the opportunity to disguise your identity and you are
usually encouraged to do so.
•
Many employees are not thinking about security when they are walking into work. Instead
they are talking with teammates, thinking about a problem they have to solve, thinking about
things they need to do. While they may think to check for a badge, they most certainly don’t
examine it in any great detail.
•
Usually, employee identification by other employees is primarily through visual recognition of
their employee identification (e.g., badge). It is not via the following: “Let’s walk 100 yards
so you may place your badge on this card access control panel so I may verify that you are
an employee using the security technology in your badge”. Since employee to employee
identification is primarily visual, many types of employee identification can be faked to
appear genuine in most situations.
•
At many sites, once an employee has crossed a badge control boundary that uses security
technology (e.g., an employee only entrance to a building), they no longer use their badge to
access anything. In short, there is only one technology barrier to overcome.
The problem we are trying to stop is what is referred to as tailgating. A successful tailgating
operation by an unethical hacker can severely compromise your network and the resources on it.
What our imaginary unethical hacker did was very similar to what law enforcement officials do when
people are suspected of computer related crimes – they get a warrant and install keystroke loggers.
Our imaginary unethical hacker had to do everything in one day. A helpful employee on a single
day in the year can fully compromise your network.
What we want to do is ask ourselves a question: “What can technology do to help people make
better decisions in regards to security, specifically around tailgating?” The fact of the matter is that
