Do I know you?

May 15, 2011 at 12:10 am | Posted in Human Factors in Security | 2 Comments
Tags: , , ,

“What the middle-aged Tory minister said to the young blonde Labour MP in a lift”

The Times 13 May 2011

It’s been a pretty hectic time for me work-wise recently – you may have noticed from the tumbleweed blowing through this blog in recent weeks!  But, after a concerted push to get some deliverables out, I finally found myself working from home today, with a little less pressure than normal.  So, I decided to set myself up for the day with an early morning trip to my favourite coffee shop, for a cappuccino (skinny, of course!) and a chance to read the newspaper in peace.

So it was that I found myself reading in the Times about a minor spat between two Members of Parliament.  In a nutshell, a senior (male) MP challenged a young woman he encountered in a restricted area, on the basis that “”Well, I thought you looked too young to be an MP”.  He challenged her to produce her pass, which she did.  Awkward.  Now, I don’t intend to defend the MP’s possibly boorish manner (after all, it seems he has form when it comes to acerbic remarks).  Equally, it seems at least possible that the younger (newly elected) MP might have been less than cooperative, when challenged.  So all in all, a storm in a tea-cup, but it reminded me of a serious point.

Must we wear photo passes?

Regular readers will know that I work for IBM where, in common with all technology based organisations and many large organisations of all types, it’s mandatory for all staff to have a pass to gain access to and move around the company sites.  These access passes form a key component of physical access control systems and even, in more advanced deployments, provide strong authentication for access to computer systems.  They also generally display a photo of the owner and their name.  The idea is that the most basic element of physical security is for those in a restricted area to be aware of who should be present and who shouldn’t.

In modern organisations, staff often visit their “home” office only infrequently.  Equally, the number of staff in any one location is often very large.  As I wrote in a previous post,  Dunbar’s Number suggests that we have difficulty keeping track of a circle of acquaintances numbering more than (say) 150.  This is, in large part, the reason behind photographic ID.  I’m sure IBM is not alone in insisting that these badges are worn in plain sight by all staff at all times.

They also help in avoiding embarrassing situations like the newspaper story, with which I opened.  “Tailgating” is frowned upon at card operated doors and clearly visible photo ID makes it easier for security staff to detect.  It’s everyone’s responsibility – and should be drummed into new staff through security awareness training –  to be aware of who is in the area and to confirm their right to be there.  We also have to be prepared to challenge anyone not displaying the correct pass, though hopefully showing a little more tact than the Tory MP.



RSS feed for comments on this post. TrackBack URI

  1. Badges are a good start but only as good as the verification process. Most times this is a cursory visual inspection, so a reasonably researched fake badge is often a good way in for a proper pen tester. Best option is normally to pick a service company too, as there’s less chance of getting caught out by chance.

    Of course in the black hat world dressing up as emergency responders and turning up in an ambulance is also an option. It takes very well trained gate staff to refuse entry to an unexpected ambulance with lights and sirens going…

  2. I absolutely agree about the quality of the verification. I don’t think access should ever be granted to a restricted area, purely based on photographic ID. I guess most security-conscious organisations use some form of mag stripe or proximity card in conjunction with their CAS system to get people through the doors/turnstiles. The attraction of photo ID is to make occupants of a restricted area aware of who is around them – and when (in the case of visitors, escorted or not) that means taking additional precautions.

    I love the notion of a fake ambulance – and I bet you know where to get your hands on one, right?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at
Entries and comments feeds.

%d bloggers like this: