Physical Security

1

• Physical Security
• Biometrics
• By Prashant Mali

2
Objectives

• To address the threats, vulnerabilities, and
  countermeasures which can be utilized to
  physically protect an enterprises resources and
  sensitive information to include people,
  facilities, data, equipment, support systems,
  media, and supplies.
• To discuss considerations for choosing a secure
  site, its design and configuration, and the
  methods for securing the facility against
  unauthorized access, theft of equipment and
  information, and the environmental and safety
  measures needed to protect people, the facility,
  and its resources.

3
Session Agenda

• 1. Physical Access Threats and Exposures
• 2. Site Location and Design
• 3. Physical Access Controls
• 4. Environmental Protection
• 5. Audit And Evaluation of Physical Access
  Controls

4
Threat Components

• Threat Components
• Agents
• Motives
• Results
• Human Threats
• Theft
• Vandalism
• Sabotage
• Espionage
• Errors
• Blackmail

5
Human Threats

• Exposures resulting by means of
• Unauthorized entry
• Damage, vandalism and theft of equipment or
  documents
• Copying, viewing, or alteration of sensitive
  information
• Public disclosure of sensitive information
• Abuse of data processing resources
• Blackmail
• Embezzlement

6
Human Threats

• Possible perpetrators can be employees who are
• Disgruntled or on strike
• Experiencing financial or emotional problems
• Threatened with disciplinary action
• Addicted to a substance or gambling
• Notified of their termination
• Hired by a competing company

7
Personnel Access Controls

• Position Sensitivity Designation
• Management Review of Access Lists
• Background Screening/Re-Screening
• Termination/Transfer Controls
• Counseling for Disgruntled Employees

8
External / Internal Threats

• External Threats
• Wind/Tornado
• Flooding
• Lightning
• Earthquake
• Cold and Ice
• Fire
• Chemical
• Internal Physical Threats
• Fire
• Environmental Failure
• Electrical Interruption

9
External / Internal Threats

• Are hardware facilities controlled to reduce the
  risk of unauthorized access?
• Are hardware facilities reasonably protected
  against forced entry?
• Are smart terminals locked or otherwise secured
  to prevent removal of boards, chips, or the
  entire computer itself?
• Are authorized passes required before computer
  equipment can be removed from its normally secure
  environment?

10
External / Internal Threats

• Facilities to be protected
• Computer room, operator consoles, and terminals
• Programming area
• Tape library, disks, and all magnetic media
• Storage room and supplies
• Off-site backup file storage facility
• Input / Output control room
• Power sources
• Disposal sites

11
Site Location and Design

• Local Crime
• Visibility
• Emergency Access
• Natural Hazards
• Air and Surface Traffic
• Joint Tenants
• Stable Power Supply
• Existing Boundary Protection (Barriers/Fencing/Gat
  es)

12
Site Boundary Protection

• Area Designation Facilitates Enforcement
• Vehicular Access
• Personnel Access
• Occupants
• Visitors (Escort Logging)
• Fences
• Deter Casual Trespassing
• Compliments Other Access Controls
• Aesthetics
• Wont Stop Determined Intruder

13
Site Boundary Protection

• Lighting
• Entrances
• Parking Areas
• Critical Areas
• Perimeter Detection Systems
• Does Not Prevent Penetration
• Alerts Response Force
• Requires Response
• Nuisance Alarms
• Costly

14
Site Boundary Protection

• CCTV (Closed Circuit TV)
• Efficiency
• Requires Human Response
• Limitations
• Staffing
• Access Control Points
• Patrols
• Employees

15
Physical Access Controls

• Guards
• Fences
• Barriers
• Lighting
• Keys and Locks
• Badges
• Escorts
• Property Controls
• Monitoring/Detection Systems

16
Physical Access Controls

• Common Physical Access controls are
• Computer Terminal Locks
• Video Cameras
• Security Guards, Alarm System
• Controlled Visitor Access
• Bonded personnel
• Confidential Location of Sensitive Facilities
• Controlled Single point of Entry and Exit
• Motion Detection System

17
Physical Access Controls

• Common Physical Access controls are
• Bolting Door Locks
• Cipher or Keypad Locks
• Electronic Door Locks
• Biometric Access Controls
• Deadman Door Locks
• Manual Logging, Electronic Logging
• Identification Badges

18
Environmental Protection

• Computing Facility
• Electrical Power controls
• Air Conditioning
• Fire Prevention, Detection, and Suppression
• Media Storage Protection
• Other Considerations

19
Audit and Evaluation

• Check the location of
• All operator consoles
• Printer rooms
• Computer storage rooms
• UPS/Generator rooms
• Communications equipment
• Tape library
• Off-site storage facility

20
Audit and Evaluation

• Check the following paths of physical entry
• All entry doors
• Glass windows and walls
• Movable walls and modular furniture
• Above false ceilings and below raised floors
• Ventilation systems

21
Keypad Locks

• Electronic (Keypad Systems) Digital Keyboard
• Number of Combinations
• Number of Digits in Code
• Frequency of Code Change
• Error Lock-Out
• Error Alarms

22
Keypad Locks
23
Electronic Door Locks

• The system uses a magnetic or embedded
  chip-based plastic card to be used as a swipe
  card to gain access to a restricted area.
• Through a special internal code, cards can be
  assigned to an identifiable individual
• Individuals can be given selective access to
  areas based on needs, time of day restrictions,
  etc.
• The cards should be difficult to duplicate.
• Card entry can be easily deactivated for
  terminated employees or if a card is reported
  lost or stolen.

24
Access Controls - Dumb Cards

• Dumb Cards
• Photo Identification Badges
• Manual Visual Verification
• Can be Combined with Smart Technology

25
Access Controls - Smart Cards

• Digital Coded (Smart) Cards
• Often Require Use of PIN Number with Card
• Card Readers Card Insertion, Card Swipe
  Proximity

26
(No Transcript)
27
Types of Access Cards

• Photo ID Cards
• Optical Coded Cards (Magnetic Dot)
• Electric Circuit Cards (Embedded Wire)
• Magnetic Cards (Magnetic Particles)
• Metallic Stripe Card (Copper Strips)

28
Types of Access Cards

• GemClub Memo has been winning the confidence of
  application developers since 1998. GemClub Memo
  is the proven and the secure Memory technology in
  the smart card market, with several million of
  cards in the field and 100 live applications such
  as
• Public ( Transportation, driving license, health
  care, fleet cards),
• Reward (loyalty, Voucher, Pre paid...)
• Access control (logical or physical).
• Electronic purse (in closed payment schemes),

29
Biometrics - Access Controls

• Authenticating a user via human characteristics
• An individuals unique body features such as
  fingerprint, signature, voice, retina can be used
  to identify the individual.
• Complicated and expensive
• Used for extremely sensitive facilities, such as
  in the military

30
Biometrics - Access Controls

• Fingerprint/Thumbprint Scan
• Hand Geometry
• Voice Verification
• Retinal Scanning
• Iris Scanning
• Signature Verification
• Facial Recognition
• Keystroke Recorders
• Vein Biometric Systems

31
Fingerprint Verification

• Fingerprint scanning products are the most common
  type on the market today. Properly implemented,
  fingerprints offer potential for high accuracy.
• The readers tend to be small - easily
  incorporated into a keyboard for example
• Have a relatively low cost, and integration is
  usually easy.
• Cuts or dirt on the finger can cause some systems
  not to recognize a valid fingerprint.
• Some fingerprint scanners will scan for pulse as
  well as the fingerprint.

32

• The State of Connecticut began using fingerprint
  readers in 1996 to catch welfare cheats who came
  in to pickup cheques.
• The fingerprint scanners, which cost about 200
  from Identix Corp., use a digital camera to
  capture the fingerprints. Imaging software from
  National Registry Inc. is used to compare the
  scanned image with the one stored on a server.
• The 5.1 million project is said to have saved
  the state 9 million in welfare fraud.

33
DigitalPersona U.are.U Personal DigitalPersona
has released a new version of its
consumer-friendly fingerprint reader, the
DigitalPersona U.are.U Personal. The software
replaces passwords for Microsoft Windows XP,
creating a more secure and more convenient
solution for homes and small businesses where one
PC serves many masters. Though not perfect, the
U.are.U is a trouble-free convenience that will
help protect your privacy.
34

• I/O Software, a California company, is marketing
  a fingerprint ID system to control access to a
  computer right after it is turned on, before
  booting.
• Their system uses Sonys Fingerprint
  Identification Unit, which plugs into the serial
  port. If the fingerprint does not match, the
  system stops the computers Basic Input Output
  System (BIOS) from starting up.

35
Sony FIU-710 PC Magazine - The Puppy was the
only model we evaluated that performed flawlessly
on all of our tests, enrolling and verifying 100
percent of our test subjects - though we could
enroll only 10 people on the Puppy, as opposed to
100 on the other devices. Plus we were able to
shuttle it easily among different PCs.
36
TimeCentre's BioMouseIt is the world's first
mouse to offer total PC and network security with
the touch of a finger! Bring fingerprint
recognition technology to a workstation!
Positively identify who is accessing the PC and
who is clocking in each day. The BioMouse can be
used in conjunction with TimeCentre's PC entry
and browser-based PC entry system on a
workstation or kiosk. In a PC kiosk environment,
the BioMouse can insure the identity of each
valid user.
37
(No Transcript)
38
Hand Geometry

• Hand Geometry measure the physical
  characteristics of the users hand and fingers.
• Hand geometry is one of the most established
  methods and typically offers a good balance of
  performance and ease of use.
• Hand geometry is most widely used in physical
  access control and time/attendance systems. It is
  not currently in wide deployment for computer
  security applications primarily because it
  requires a large scanner.

39

• Biometric Hand PunchTimeCentre's Hand Punch
  clocks positively identify each employee by the
  unique size and shape of his or her hand,
  increasing the security and accuracy of your
  company's time data. It is the perfect balance
  between security and convenience.
• Eliminates "buddy punching" and guarantees the
  accuracy of your punch data
• Eliminates early-in punches
• Eliminates unauthorized overtime punches
• No cards or badges are needed to utilize the
  TimeCentre Biometric Hand Punch. The employee's
  hand is their time card!

40

• Sensar is offering their iris recognition system
  to ATM manufacturers as an alternative to
  passwords and PINs. When a bank card is inserted
  into an ATM machine, a stereo camera locates the
  persons face, zooms in on the eye, and takes a
  digital photograph of the eye. The features in
  the eye are then compared with one provided to
  the bank when the customer signed up.
• All this can be done in less then two seconds at
  a distance of up to 3 feet. The system is
  expected to add 2,000 to 3,000 to the cost of
  an average ATM machine, which now can cost up to
  40,000.
• Several banks are testing Sensars system,
  including banks in the United States, United
  Kingdom, and Japan.

41
Voice Recognition

• Voice Recognition is perhaps the method most
  desirable to users since everyone seems to want
  to talk to computers.
• In practice, implementation is extremely
  difficult. While recent advances in voice
  recognition have greatly improved the technology,
  it is still subject to problems.
• Local acoustics, background noise, microphone
  quality, the common cold, anxiety, being in a
  hurry, and anger can all alter the human voice
  enough to make voice recognition difficult or
  impossible.
• Further, voice recognition systems tend to have
  the most difficult and time-consuming enrollment
  process and require the most space for template
  storage.

42

• In February 1998, Periphonics Corp., a maker of
  interactive voice response systems, announced
  they would integrate voice identification into
  their automated call processing applications. The
  system could be used by banks and credit card
  companies which rely heavily on interactive call
  systems.
• When a customer phones for service, the system
  asks for a password. The voice sample is then
  compared with one taken during initialization.
  Periphonics says the error rate is around 1 to
  2.
• The attraction of voice recognition is that it
  can be performed over the phone system without
  the need for special cameras or other equipment.

43
Retinal Scanning

• Retinal Scanning is well established and can
  provide high accuracy.
• User acceptance may be a problem however
  Youre not shooting a laser into my eye! In
  reality, retinal scanners do not employ a laser,
  but scan using low intensity light and are
  considered quite safe.
• One drawback is that the user must look directly
  into the retinal reader. This is inconvenient for
  eyeglass wearers.
• In public applications, there may also be
  concerns with the spread of germs because of the
  need for physical contact with the retinal
  scanner.
• Another problem is that the user must focus on a
  given point for the scan. Failure to focus
  correctly causes a significant impact on
  accuracy.

44
The EyeDentify Biometric Retina Reader provides
dual level access security. A keypad code
requires Retina pattern verification which takes
less than two seconds from up to 3 away. Retinal
vascular patterns are the most accurate biometric
recognition features which provides the highest
level of biometric security. Can be easily
interfaced with ECS Access Control systems or
used in stand alone applications.
45
Iris Scanning

• Iris Scanning overcomes most of the problems of
  retinal scanners.
• Because the iris (the colored part of the eye) is
  visible from a distance, direct contact with the
  scanner is not required nor is it necessary to
  remove eyeglasses.
• The technology works by scanning the unique
  random patterns of the iris.
• Interestingly, the method does not rely on the
  iris color (the camera used is black-and-white).
  This is important because of the popularity of
  colored contact lenses some vendors claim their
  systems will work with colored contacts and even
  through non-reflective sunglasses.

46
In 1994, Iridian's John Daugman introduced the
concept of iris recognition technologycapturing
the unique patterns in a human iris to
authenticate identity. Like fingerprints, no two
irises are alike. The Authenticam verifies a
user's identity by scanning the person's iris and
matching the pattern with the template stored at
enrollment. Unlike a retinal scanner, which
captures information necessary for authentication
by shooting a laser beam into the eye while the
user is in contact with the device, the iris
scanner allows the user to be about 20 inches
away from the camera.
Panasonic Authenticam Iris Recognition Camera
47
Signature Verification

• Signature Verification enjoys a synergy the other
  technologies do not since people are used to
  signing for things.
• There is a greater feeling of normalcy. While
  signature verification has proved to be
  relatively accurate, very few products available
  implement the technology.

48
Facial Recognition

• Facial recognition is one of the newest biometric
  methods. The technology has attracted a lot of
  attention.
• Unfortunately, extravagant claims that proved
  difficult to substantiate cooled much of the
  enthusiasm.
• It is not overly difficult to match two static
  images.
• Picking an individual out of a group as some
  systems claim to be able to do is another matter
  entirely.
• Progress continues to be made with this young
  technology, but to date facial recognition
  systems have had some success in practical
  applications.

49

• The FaceIT PC desktop software, which sells for
  150, is used on a PC with a video camera. The
  system automatically detects human presence,
  locates and tracks faces, and identifies people.
• The recognition process, which is based on 64
  features of the face, takes less than a second.
  When the user steps away from the computer,
  FaceIT becomes a screensaver and locks the
  computer. The machine is unlocked only when the
  computer detects and recognizes the user. Files
  are secured through encryption.
• The technology has been or will be used in other
  applications, including ATMs, airport passenger
  and baggage security, and border crossings.

50
Imagis' proprietary technology uses more than
692 facial desciptors to capture and identify a
face. This is ten times more than other
technologies. At the very heart of Imagis'
technology is a unique method of capturing facial
data that is intrinsically more accurate. Whereas
other solutions are limited through their
reliance on outmoded facial recognition methods,
Imagis uses a combination of spectral analysis
and 3-D modeling to locate and fit a face,
identifying over 692 facial descriptors in the
process.
51
Once a face has been identified, it is converted
into a deformable surface model. This surface
modeling allows the face detection to work
accurately with an infinite number of face
shapes. Unlike other solutions, ID-2000 works
equally well with all races and genders and is
not fooled by a change in hairstyles, or the
growth/ shaving of a beard. Once a face has been
captured and rendered, the software uses a
proprietary algorithm to produce a wavelet that
is unique to that image. It is this wavelet
(compressed and encoded) that is used to make
comparisons quickly in both one-to-one and
one-to-many searches.
52
Vein Biometric Systems

• Vein biometric systems record subcutaneous Infra
  Red absorption patterns to produce unique and
  private identification templates for users.
• Veins and other subcutaneous features present
  large, robust, stable and largely hidden
  patterns. Subcutaneous features can be
  conveniently imaged within the wrist, palm, and
  dorsal surfaces of the hand.
• The technology is a vascular barcode reader for
  people!
• The technology can be applied to small personal
  biometric systems, generic biometric applications
  including intelligent door handles, door locks
  etc.

53
Vein Biometric Systems

• Vein pattern IR. grey-scale images are binarized,
  compressed and stored within a relational
  database of 2D vein images. Subjects are verified
  against a reference template in under 200ms
  providing fast, robust biometric authentication.

54
Biometrics - Advantages

• Cant be lent like a physical key or token and
  cant be forgotten like a password
• Good compromise between ease of use, template
  size, cost and accuracy
• Biometrics contains enough inherent variability
  to enable unique identification even in very
  large (millions of records) databases
• Basically lasts forever - or at least until
  amputation or dismemberment
• Makes network login authentication effortless

55
Biometrics - Disadvantages

• Still relatively expensive per user
• Companies and products are often new and immature
• No common API (Application Protocol Interface) or
  other standard
• Some hesitancy for user acceptance

56
Biometrics - Practical Applications

• Network access control
• Staff time and attendance tracking
• Authorizing financial transactions
• Government benefits distribution (Pension,
  welfare, etc.)
• Verifying identities at point of sale
• Using in conjunction with ATM , credit or smart
  cards
• Controlling physical access to office buildings
  or homes
• Protecting personal property
• Voting/Passports/Visas Immigration

57
Biometrics - Privacy Issues

• Tracking and surveillance - Ultimately, the
  ability to track a person's movement from hour to
  hour
• Anonymity - Biometrics links to databases could
  dissolve much of our anonymity when we travel and
  access services
• Profiling - Compilation of transaction data about
  a particular person that creates a picture of
  that person's travels, preferences, affiliations
  or beliefs

58
Biometrics - Tenets

• The indiscriminate and inappropriate application
  of biometric technologies will enslave us all.
• Biometric technologies should be used to provide
  individuals with enhanced privacy, security,
  autonomy and convenience.
• Users must insist on the application of personal
  biometric systems, where they own and control
  their own biometric data.
• The implementation of biometric technologies must
  safeguard the rights and privileges of the
  individual whilst maintaining the security of the
  community.
• Biometric technologies should not be used as
  tools to manage, control, marginalize or
  segregate groups or minorities within the
  population.

59
Deadman Door Locks

• This system uses a pair of doors, between which
  is a holding area.
• For the inside door to operate, the outside door
  must lock and close, with only the authorized
  person within the holding area.
• This can reduce the risk of piggybacking, where
  an unauthorized person follows a authorized
  person into a restricted area.
• Similar to the airlocks present in spacecraft.

60
Computing Facility

• Walls
• True Floor to Ceiling
• Fire Rating (at least 1 hour)
• Penetrations
• Adjacent Areas
• Doors
• Interior/Exterior
• Hinges
• Fire Rating
• Alarms
• Monitoring

61
Computing Facility

• Windows/Openings
• Interior/Exterior
• Fixed
• Shatterproof
• Computer and Equipment Room Lay Out
• Equipment Access
• Storage
• Occupied Areas
• Water Sources
• Cable Routing

62
Electrical Power

• Electrical Power Definitions
• Blackout - Loss of Power
• Brownout - Prolonged Period of Below Normal
  Voltage
• Noise - Random Disturbance that Interferes with a
  Device
• Sag - Short Period of Low Voltage
• Spike - Momentary High Voltage
• Surge - Prolonged High Voltage
• Transient - Line Noise/Disturbance at Normal
  Voltage

63
Electrical Power

• Electrical Power Controls
• Dedicated Circuits
• Controlled Access to
• Power Distribution Panels
• Master Circuit Breakers
• Transformers
• Feeder Cables
• Emergency Power Off Controls
• Voltage Monitoring/Recording
• Surge Protection

64
Electrical Power

• Backup Power
• Alternate Feeders
• Un-interruptible Power Supply
• Emergency Power Generator

65
Electrical Power

• Backup Power Requirements
• Lighting
• Physical Access Control Systems
• Fire Protection Systems
• Computing Equipment - Mainframes, Servers, etc
• Communications Equipment
• Telephone Systems
• Air Conditioning

66
Air-conditioning

• Dedicated
• Controllable
• Independent Power
• Emergency Shut Off Controls
• Positive Pressure
• Protected Air Intakes
• Monitoring

67
Other Controls

• Humidity Controls
• Risk of Static Electricity
• Risk to Electric Connections
• Air Quality (Dust)
• Water Protection
• Falling Water
• Rising Water
• Drains
• Protective Coverings
• Moisture Detection Systems

68
Fire Prevention Protection

• Fire Elements
• Fuel
• Oxygen
• Temperature
• Causes Of Computer Center Fires
• 1 Electrical Distribution Systems
• 2 Equipment
• Fire Classes
• A Common Combustibles (use Water/Soda Acid)
• B Liquid (CO2/Soda Acid/Halon)
• C Electrical (CO2/Halon)

69
Fire Prevention Protection

• Temperatures When Damage Occurs
• Paper Products 350o
• Computer Equipment 175o
• Disks 150o
• Magnetic Media 100o

70
Fire Detection

• Manual
• Optical (Photoelectric-Smoke Blocking Light)
• Temperature
• Ionization (Reaction to Charged Particles in
  Smoke)

71
Fire Detectors

• On Ceilings
• Above Suspended Ceilings
• Beneath Raised Floors
• Return Air Ducts
• Cross-Zoning

72
Fire Alarms

• Manual Automated Activation
• Visual Audible Indication
• Local Remote Annunciation

73
Fire Suppression - Portable Ext.

• Portable Extinguishers
• At Exits
• Mark Locations and Type
• Types A, B C
• Need to Inspect

74
Fire Suppression - Water

• Dry Pipe Systems Less Risk of Leakage
• Employ in Throughout Building and in all Spaces
• Works to Lower Temperature
• Most Damaging to Equipment
• Conventional Systems

75
Fire Suppression - CO2

• Colorless/Odorless
• Potentially Lethal
• Removes Oxygen
• Best for Unattended Facilities
• Delayed-Activation in Manned Facilities

76
Fire Suppression - Halon

• Best Protection for Equipment
• Inside Equipment Cabinets/Vaults
• Special Areas
• Above Suspended Ceilings
• Under Raised Floors
• Concentrations lt10 are Safe
• Becomes Toxic at 900o
• Depletes Ozone (CFCs)
• Halon 1301 Requires Pressurization
• Halon 1211 Self-Pressurization (Portable
  Extinguishers)

77
Securing Storage Areas

• Forms Storage Rooms
• Increased Threat of Fire
• Combustibles
• Access Controls
• Media Storage Rooms
• Media Sensitivity
• Segregation
• Access Controls
• Environmental Controls

78
Media Protection

• Storage
• Media Libraries/Special Rooms
• Cabinets
• Vaults
• Location
• Operational
• Off-Site
• Transportation

79
Protecting Wiring

• Optical Fiber
• Copper Wire
• Certifying the Wiring and Cabling
• Controlling Access to Closets and Riser Rooms

80
Other Considerations

• Dealing with Existing Facilities
• Planning
• Upgrade/Renovation
• Incremental New Construction
• Protecting the Protection
• Implement Physical and Environmental Controls for
  Security Systems
• Protect against both Intentional and Inadvertent
  Threats

81
Other Terms Abbreviations

• Tailgate
• Piggy-Back
• Stay Behind
• Degauss
• Remanence
• Mantrap
• Pass-Back
• Dumpster Diving
• Montreal Protocol
• Duress Alarm
• Tamper Alarm

• Passive Ultrasonic
• Fail Safe/Fail Soft
• EPO
• IDS
• Shoulder Surfing
• Electronic Emanation
• Tsunami
• RFI
• Defense in Depth
• EMI
• Top Guard

82

• Thank You
• prashant.mali_at_cyberlawconsulting.com