Do I know you?
May 15, 2011 at 12:10 am | Posted in Human Factors in Security | 2 CommentsTags: Dunbar's number, photo ID, physical security, tailgating
“What the middle-aged Tory minister said to the young blonde Labour MP in a lift”
The Times 13 May 2011
It’s been a pretty hectic time for me work-wise recently – you may have noticed from the tumbleweed blowing through this blog in recent weeks! But, after a concerted push to get some deliverables out, I finally found myself working from home today, with a little less pressure than normal. So, I decided to set myself up for the day with an early morning trip to my favourite coffee shop, for a cappuccino (skinny, of course!) and a chance to read the newspaper in peace.
So it was that I found myself reading in the Times about a minor spat between two Members of Parliament. In a nutshell, a senior (male) MP challenged a young woman he encountered in a restricted area, on the basis that “”Well, I thought you looked too young to be an MP”. He challenged her to produce her pass, which she did. Awkward. Now, I don’t intend to defend the MP’s possibly boorish manner (after all, it seems he has form when it comes to acerbic remarks). Equally, it seems at least possible that the younger (newly elected) MP might have been less than cooperative, when challenged. So all in all, a storm in a tea-cup, but it reminded me of a serious point.
Must we wear photo passes?
Regular readers will know that I work for IBM where, in common with all technology based organisations and many large organisations of all types, it’s mandatory for all staff to have a pass to gain access to and move around the company sites. These access passes form a key component of physical access control systems and even, in more advanced deployments, provide strong authentication for access to computer systems. They also generally display a photo of the owner and their name. The idea is that the most basic element of physical security is for those in a restricted area to be aware of who should be present and who shouldn’t.
In modern organisations, staff often visit their “home” office only infrequently. Equally, the number of staff in any one location is often very large. As I wrote in a previous post, Dunbar’s Number suggests that we have difficulty keeping track of a circle of acquaintances numbering more than (say) 150. This is, in large part, the reason behind photographic ID. I’m sure IBM is not alone in insisting that these badges are worn in plain sight by all staff at all times.
They also help in avoiding embarrassing situations like the newspaper story, with which I opened. “Tailgating” is frowned upon at card operated doors and clearly visible photo ID makes it easier for security staff to detect. It’s everyone’s responsibility – and should be drummed into new staff through security awareness training – to be aware of who is in the area and to confirm their right to be there. We also have to be prepared to challenge anyone not displaying the correct pass, though hopefully showing a little more tact than the Tory MP.
Follow @Vintage19512 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a reply to Vintage1951 Cancel reply
Subscribe
Categories
- Business Continuity Planning (2)
- Cloud Security (3)
- Collaboration (9)
- Cyber Security (4)
- Data Protection (4)
- Endpoint Security (2)
- Home Office (4)
- Human Factors in Security (5)
- Identity Management (4)
- Identity Theft (1)
- Incident Response (1)
- Innovation (2)
- Internet of Things (1)
- Privacy (2)
- Programme Management (1)
- Remote Working (2)
- Research (5)
- Running (1)
- Security Governance (2)
- Security Product Testing (1)
- Social Networks (8)
- Systems Management (2)
- Uncategorized (10)
Tags
Add new tag application white list Atlas Consortium backup Backupify Baseline Security Blog blogs Business CA CISO cloud Common Criteria compliance crisis management Customer Management Defence in Depth DII disclosure disk encryption DocScanner DSML Dunbar's number estimating experimentation Facebook Freemind Google Docs Google Reader governance group identity Health and Safety human behaviour IAM IBM Identigrate UK Identity Economics Identity Management Information security Internet Explorer iPhone iPhone pictures LinkedIn Live Mesh Mathematics Microsoft Microsoft OneNote mind mapping Mindmeister MobileNoter Networking Network World NHS Oracle Programme Management provisioning risk role engineering role mining roles Sales Cloud Salesforce.com Science security smart phone SMS SPML Summary Care Record Sun Thinking String Twitter UK government Wi-fi WordPress Zero Day ExploitTwitter Updates
Tweets by Vintage1951
Create a free website or blog at WordPress.com.
Entries and comments feeds.
Badges are a good start but only as good as the verification process. Most times this is a cursory visual inspection, so a reasonably researched fake badge is often a good way in for a proper pen tester. Best option is normally to pick a service company too, as there’s less chance of getting caught out by chance.
Of course in the black hat world dressing up as emergency responders and turning up in an ambulance is also an option. It takes very well trained gate staff to refuse entry to an unexpected ambulance with lights and sirens going…
Comment by Nik— June 6, 2011 #
I absolutely agree about the quality of the verification. I don’t think access should ever be granted to a restricted area, purely based on photographic ID. I guess most security-conscious organisations use some form of mag stripe or proximity card in conjunction with their CAS system to get people through the doors/turnstiles. The attraction of photo ID is to make occupants of a restricted area aware of who is around them – and when (in the case of visitors, escorted or not) that means taking additional precautions.
I love the notion of a fake ambulance – and I bet you know where to get your hands on one, right?
Comment by Vintage1951— June 7, 2011 #