Computer Systems Security Planning for Success

It is easier to manage the physical security of a location when the amount of entry points are limited. Convenience and safety dictate that even with such considerations multiple points of ingress are still needed. A security gate is the most basic tool available the ensure that only authorized actors gain access.

Security gates can be manned or unmanned and designed to support vehicular or pedestrian traffic. In general an unmanned security gate is not going to be as effective as a manned security gate. Likewise, vehicular gates will be less effective against foot traffic (especially unmanned vehicular gates) than gates or checkpoints designed for individuals. A thorough risk assessment is often the first step in planning where to put gates and what types of gates to use.

Biometric security devices identify people based on on or more physical characteristics. This has the great advantage of convenience. A person may occasionally forget to bring their ID card in to work, but they will never forget to bring their fingertip or iris! Similarly, since the items being used for identification are attached to the people that using them, biometric characteristics are difficult to steal or impersonate.

Biometric traits are often broken into two categories: physiological and behavioral. Physiological traits can be facial structure, fingerprints, palm prints, hand structure, iris patterns, or even the sequence of someone’s DNA. Behavioral traits include voice, signature, and even keystroke patterns.

Many security measures employ key cards for access to rooms. A key card uses the same form factor as a credit card, making it easy for employees to carry in their wallets or ID holders. Key cards may utilize magnetic stripes or chips (in a similar fashion to credit cards), radio frequency identification (RFID), or near field communication (NFC).

Basic passive keycards are often subject to skimming and cloning attacks. Once an attacker can gain access to the unique number stored on the card, they can recreate the card. It is important to monitor areas where key cards are being used to make sure additional hardware is not installed by an attacker to read these numbers. It is also important to educate users of the system so they do not share their key cards with others and report them if they go missing.

Proximity Cards

The most ubiquitous RFID card, the proximity or prox card, is vulnerable to a very basic cloning attack. The keycard is a passive electronic device, meaning it utilizes a coil as both an antenna and a source of power for its circuit. This has the advantage of not requiring a battery only working when the card is placed in an electromagnetic field, like near the reader on a door with an RFID reader. The RFID reader will generate a 125 kHz radio frequency field. The prox card has a long antenna which spirals around the outside. This antenna is designed to be resonant at 125 kHz and when powered by the field created by the reader it charges a capacitor and provides current to an IC. The IC then broadcasts the card’s ID.

Unfortunately this passive configuration limits the circuitry to very simple operations due to the need for low power consumption. All a proximity card can do when activated is broadcast the card’s ID. An attacker can listen for that number by placing another reader next to the legitimate reader or even carrying a portable reader that will activate the card when close to the user. Once the attacker has the 26 bit unique number of the card, they can make their own card with that same number and gain access.

There have been proposals for strengthen RFID systems including using AES

⁵

www.iacr.org/archive/ches2004/31560357/31560357.pdf

. It is also possible to require another factor of identification in addition to the keycard. Fortunately, many systems seem to be moving to phone applications via NFC which have significantly more processing power to support trustless cryptographic identification.

The most versatile assets in any organization are human assets and the same is true of security guards. Security guards can be used to verify IDs, enforce rules, stopped forced entry, and take actions as necessary. Given the expensive nature of human resources, security guards should be employed in critical locations where risk is high. They may also benefit greatly from staff awareness training even if their job description may be different from the other employees you are training.

Cameras afford the operator an "always on" view of a location. Awareness that all activity is being recorded can persuade attackers to aim for an easier target or not continue with their nefarious actions. Even if an attacker persists the camera footage can provide proof of the attack as well as evidence that can be used later to track the attacker or make better security decisions.

The "eye in the sky" seems to have the effect of keeping honest people honest, but is often just seen as an obstacle for those intent on breaking the rules. Despite this cameras do have several technological advantages. They can work in no/low light conditions, can be remotely controlled and monitored, can store footage remotely, can track motion, and can activate/alert on motion events. Cameras are an integral part of most security plans.

CCTV in London

The largest deployment of CCTV cameras in the world is currently in London England. There are over half a million cameras recording the average Londoner more than 300 times a day.

⁸

www.caughtoncamera.net/news/how-many-cctv-cameras-in-london/

This makes London a very interesting case study in the effects of widespread camera use.

It appears that conspicuous cameras can prevent certain types of crime (theft and burglary) but have little effect on crimes of passion (spontaneous and unplanned crimes). In aggregate, cameras appear to not have an effect on the overall amount of crime. While decreases have occasionally been seen, causation cannot be established.

From a security perspective, we are not only concerned with preventing crimes, but also concerned with tightening our security after a breach has occurred. The cameras in London have been shown to aid in solving crimes after they have occurred. This bodes well in a security context where that is a major goal.

A mantrap is a physical access control that requires one person at a time enter through a door. Also known as air locks, sally ports, or access control vestibules, mantraps are used to prevent tailgating, or following another person through a secured door. These devices are often used with keycards to ensure that only people who are supposed to have access to a building can get in.