2.1 Summarize various security measures and their purposes

  • Physical Security
    • Access Control Vestibule
    • Badge Reader
    • Video Surveillance
    • Alarm Systems
    • Motion Sensors
    • Door Locks
    • Equipment Locks
    • Guards
    • Bollards
    • Fences
  • Physical Security for Staff
    • Key Fobs
    • Smart Cards
    • Keys
    • Biometrics
      • Retina Scanner
      • Fingerprint Scanner
      • Palmprint Scanner
    • Lighting
    • Magnetometers
  • Logical Security
    • Principle of Least Privilege
    • Access Control Lists (ACLs)
    • Multifactor Authentication (MFA)
    • Email
    • Hard Token
    • Soft Token
    • Short Message Service (SMS)
    • Voice Call
    • Authenticator Application
  • Mobile Device Management (MDM)
  • Active Directory
    • Login Script
    • Domain
    • Group Policy / Updates
    • Organizational Units
    • Home Folder
    • Folder Redirection
    • Security Groups

Physical Security

How do we protect our physical infrastructure?  Physical security is a layered approach.  It is designed to keep bad people out.  We need layers because no product or system is perfect.  An intruder who gets through one layer will be trapped by a second or third.

The type of physical security we choose to use depends on our budget, the size of our building, and the sensitivity of the assets that we are protecting.

Bollards/Barricades

A barricade or bollard is a physical device that keeps vehicles from crashing through a building. The barricade can be made of metal, concrete, or plastic (filled with sand or water).  A barricade can be designed as part of a landscape architecture so that it is aesthetically pleasing. 

The barricade is used to provide an additional layer of security next to a fence.  A fence can keep people from climbing over but won’t stop a vehicle, and a barricade can stop a vehicle but won’t stop a person.

Below is a retractable barricade.  We install this at a gate.  It can stop vehicles of most sizes.  When a vehicle is authorized to enter, we can lower the barricade.  The barricade might be operated manually or automatically.

These barricades are typically found at high-security facilities where the vehicle is first checked for explosives.

For many buildings, decorative bollards are more appropriate.  They can be disguised as part of the landscape or blend in with the architecture.  One concept uses concrete planters which can be filled with flowers or trees.

Below is a courthouse.  Instead of installing bollards, they raised the concrete around the building by approximately eight inches.  This is enough to stop any vehicle from driving over it, while still allowing people to walk on top of it.

Fencing/Gate/Cage

A Fence or Gate or Cage keeps people out or keeps people in.  For example, a tool storage area inside a building/warehouse might be fenced in so that only authorized people can take the tools.  Fences commonly work with bollards.

When designing a fence, consider

  • Who you are trying to stop.  A chain-link fence can be cut with wire cutters easily.  Even a barbed wire fence can be cut.  Fences are good for slowing down people who are trying to climb over but are not so good for vehicles or sneaky people.  A fence in combination with bollards may be a better approach.  You can also consider a concrete wall.

    • An electric fence is more effective at keep people out but may introduce unwanted legal liability.  An electric fence must have clear signage that identifies it as such.  It should also be separated from the public by a normal fence so that people cannot inadvertently contact it.  In some areas, an electric fence might be illegal.

  • Whether the fence is opaque or transparent (chain link).  The fence may need to be opaque so that people can’t see inside.

  • The height of the fence.  A tall fence may stop people from climbing or seeing over it, but it is irrelevant if people can cut through the fence or fly drones into the facility.

  • Fences can be used in combination with other security measures.  The fence provides a buffer zone.  It slows people down.  By the time a person has penetrated the fence, security will have been able to intercept them.  The fence can be monitored with cameras, security patrols, and sensors.

Some high security fence ideas include

  • Fences with razor wire in the chain link

  • Chain link fences that are nearly invisible.  They provide security but are also aesthetically pleasing.

  • Fences that can be rapidly deployed from the back of a truck

  • Fences that can be placed in the water to stop boats

  • Fences that contain fiber optic cable.  If the fence is touched or cut, the intrusion is automatically detected.

Inside a building, chain link fencing can be used to set up cages for controlled physical access. It is cheaper to build a cage than a physical room.

Signs

Signs work well with fences.  We put signs up for two reasons

  • Give people directions.  Signs are especially useful when we have multiple entrances (employee entrance, visitor entrance, security, shipping/receiving, etc.)

  • Tell unwanted people to stay out.  Depending on where we are, the content of the sign may need to be in multiple languages.  When you put up a sign telling people not to trespass, they will not be able to claim ignorance later.

Mantrap or Access Control Vestibule

A man trap is a door that only allows a single human to enter or exit at a time.  The man trap door is typically used in combination with a card access/biometric authentication.

The user presents his credentials to a card reader and/or security guard.  The first door opens, and the user enters a small hallway or room.  The first door closes, and when the first door is locked, the second door opens.  The man trap may be outfitted with a camera that detects if multiple individuals are present.

These are common in data centers and airports.

Badges

Anybody who is in our facility should wear a badge.  A badge should have the following information

  • Whether the person is an employee, contractor, or guest

  • The name of the person

  • The job title of the person

  • The security level of the person, if applicable

  • A clear photograph of the person

  • The expiry date of the badge

Badges may be color coded to indicate security levels.  People should wear their badges close to their faces and not on their hips.  This makes it easier to read the badge and compare the photograph to the person’s face.

When an employee or contractor is terminated, security should take their badge away.

A guest should be given a badge when they enter the facility, and they should return the badge when they leave.

Alarms

An alarm is necessary to protect critical assets.  The two main types of alarms

  • Intruder alarm – detects intrusions

  • Environmental alarm – detects a fire, flood, high temperatures, etc.

The alarm will have multiple components

  • Sensor.  The sensor detects an event.  Some types of sensors

    • Motion Sensor detects motion, which could indicate the presence of an unauthorized person.  Newer motion sensors have dual technology – a passive infrared signal and a microwave radar

    • Glass Break Sensor detects if glass has been broken based on the specific sound frequency that glass breaking makes

    • Door/Window Contact detects whether a door is open or closed.  The sensor consists of a magnet that sits on the door/window and a contact that sits on the door/window frame.  This creates a closed circuit.  When opened, the door/window breaks the circuit, and a signal activates

    • Heat Detector checks for the presence of heat or a rapid change in the temperature.  Heat detectors come in different temperature ranges.  A heat detector is usually connected to a fire alarm.

    • Smoke Detector checks for the presence of smoke.  A false alarm can occur if there are dusty conditions.  A smoke detector is used in high heat areas where a heat detector would be inappropriate.  A smoke detector is usually connected to a fire alarm.

    • Flood Detector checks for moisture content.  This may be installed in a server room, or in another area that is prone to flooding.

    • Thermostat measures the temperature in the room.  The thermostat can trigger a heater or air conditioner as required.  High temperatures can lead to equipment damage.  Cold temperatures can cause water pipes to burst.

  • Controls.  The control panel is the brains behind the operation.  The controls collect data from the sensors and decide if an abnormal event has occurred, in which case the alarm is triggered.  We must program the control panel to do what we want.  The controls send an alert to another device.

  • Alerts.  The alarm must make an alert when there is an abnormal condition, or else it will have no purpose.  It must notify somebody that an abnormal condition is present.  Some forms of alerts

    • Siren/Flashing Lights can scare intruders but are by themselves just a nuisance.  Some intruders will ignore the alarms, especially when there are many false alarms.  A police department will probably not respond to an audible alarm unless they are specifically notified that a crime is in progress.

    • Alert on a control panel.  The alarm can notify a monitoring station so that the responsible people can verify that the alarm is real and take additional action such as calling the police, calling for emergency services, or dispatching a security guard to investigate.

    • Automated phone call/email/SMS alert to the responsible people or to a monitoring station.

When an alarm is triggered, a security guard might first review the surveillance cameras in the relevant areas to determine if there is a problem.  The security guard would then physically investigate the areas and act as appropriate.  If nothing out of the ordinary is present, the security guard may turn off the alarm and record his findings.

An alarm system can be divided into multiple zones.  Each zone is subject to its own rules.  For example, a zone can be always armed, or it can be armed at night.  A server room might always be armed unless somebody needs to access it.  An office might only be armed at night when nobody is present.

When an alarm is in an armed state, any sensor activity will trigger an alarm.

The control system for an alarm must be in a physically secure room.  The control system must itself be alarmed (connected to a tamper-detecting sensor), so that any attempt to disable it is detected.

When you design an alarm system, consider the following

  • It is likely that your building will require a fire alarm.  The fire alarm is separate from the intrusion alarm.  It consists of smoke and heat detectors, bells, and a fire control panel.  Fire alarms must be monitored, and their design, installation, and testing are subject to strict standards.

    The company that monitors your fire alarm might also monitor your intrusion alarm.

  • Identify the locations where you need to place sensors

    • Each exterior door requires a sensor to determine whether it is open or closed

    • Each window that opens requires a sensor to determine whether it is open or closed

    • A glass break sensor should be installed opposite each window or set of windows

    • A motion sensor should be installed opposite each door or window as a back up to the open/close sensor

    • Motion sensors should also be installed in large rooms

  • Decide on a secure location to place the control panel

  • Select one or more locations to install keypads.  A keypad is used to disarm the alarm.  A keypad should be installed next to any main entrance.

  • Decide whether the system should be wired or wireless. 

    If the system is wireless, then you will need to change batteries in the sensors often.  You will also need to install an adequate number of wireless repeaters if the building is large. 

    If the system is wired, then you will need to install alarm wire.  Wired devices can be daisy chained, but there is a limit to the number of devices that can be connected to a single wire, and there is a limit to the length of the wire.

  • Divide the building into zones.  We group the sensors into zones.  When a sensor is triggered, the alarm will tell us which zone is affected.

    • If the building has only a few sensors, we can assign each sensor to its own zone.  For example, “Front Glass Break Sensor” might be a zone.

    • If the building is large, then we can divide the building into something logical

    • We might put wireless devices on one zone

    • We might put each entrance on a separate zone

    • If a sensor triggers an alarm, how quickly can you figure out where the trouble is based on the zone information

  • Decide on the operating hours and program the system

    • When people are in the building, then the system is disarmed.  Motion and doors/windows opening do not trigger an alarm

    • When the last person leaves the building, he must arm the system.  Once the system is armed, any motion or door/window opening triggers the alarm

    • You might have sensitive areas that are always armed unless somebody requires access.  Examples could include a server room, a mechanical room, or a vault.  You should put each of these rooms on a separate zone and keep that zone armed.

  • You should purchase an alarm system with a control panel that supports the number of sensors that you require and the number of zones that you require

  • Decide on how the system will be monitored

    • If you have a continuous security presence, you might monitor the system in house.  It might be linked to displays at your security office. 

      Remember that you usually cannot monitor your own fire alarm unless your monitoring center meets very specific requirements.

    • If you outsource the monitoring, you will need to connect your control panel to a phone line, a cellular model, or the internet.

    • You might outsource the monitoring but still configure the system to send alerts to your phone or e-mail address.

Cameras

A surveillance camera is used to monitor a physical area.  At a minimum, cameras should be placed

  • At all entrances

  • Around the perimeter of your fence if you have one

  • At locations where money is counted or exchanged

  • At locations where valuables are stored

  • At all shipping and receiving areas

  • At areas where thefts or acts of violence can occur

  • At other areas where video monitoring is required

Ideally, you should have enough cameras to monitor every square inch of your facility.  If you have areas where workers are performing physical labor, using tools, or handling products, you should have cameras.  People often claim to get hurt at work and having adequate cameras will reduce some of those claims.

Cameras can be used with software that can

  • Perform facial recognition and automatically detect/identify individuals and known trespassers. 

    The more advanced software can detect objects.  For example, if a woman puts a purse down on a table, the software can recognize that object as a purse.  If a thief steals the purse and walks away with it, the camera software can follow the purse throughout the facility across multiple cameras.

    We can click on the purse and the software can show us where it went, regardless of which camera saw it.  Or we can click on a person’s face and follow them around.  The software automatically switches from camera to camera as they walk around the facility.

  • Provide data analytics to understand traffic patterns.  Many retailers use cameras that can understand how people travel throughout the store and what products they look at the most.

  • Detect motion.  When detecting motion, a camera can automatically trigger an alert through the alarm system just like a motion sensor

Cameras are available in a wide variety of models and features.

  • Analog or digital.  Digital cameras are better because they can connect to an NVR over a network, can be powered by PoE, and offer higher resolutions.  I do not recommend the use of an analog camera.

  • Resolution.  The resolution tells us how much detail we can see in the video feed and is measured in megapixels.  Security cameras are available in resolutions of up to 4K.  The resolution you require depends on the size of the area that you are watching – the higher the area, the greater the resolution. 

    You should choose a camera with a higher resolution than needed, and then reduce the video feed to a lower resolution.  If you find later that you require a higher resolution, you can always increase it without having to replace the camera.

  • Digital and analog zoom.  You should consider analog zoom when you are watching a large area but need to zoom in later to observe some details, such as a license plate.  You can’t zoom in to a video after it has been recorded, so take this into consideration when choosing a camera resolution.

  • PTZ.  Ability to Pan, Tilt, and Zoom.  PTZ is controlled by a motor inside the camera and allows you to move the camera around to observe other areas.  It is good when the camera’s field of view is not wide enough to see the entire area.  If you frequently need to move the camera, consider adding additional cameras, or replacing the cameras with wide-angle cameras.  There are 180-degree and 360-degree cameras on the market.

  • Optional heater for outdoor cameras.  Many cameras will not function in the cold.

  • Indoor and outdoor ratings (designed to withstand cold weather).  Choose a camera that can withstand the environment you are placing it in.

  • Water/dust ingression rating.  A camera will have a rating that is IPXX.

    • The first X is a number from 0 to 6 that tells us how resistant the camera is to dust

    • The second X is a number from 0 to 9 that tells us how resistant the camera is to water.


Most cameras are rated at least IP67 now, which means that they are completely dust proof and can be submerged in up to one meter of water.

  • Resistant to vandalism.  A camera will have a vandalism rating that is IKXX, where XX is a number from 01 to 10.  The higher the rating, the greater an impact the camera can take and keep functioning.

    Choose a camera with a rating of IK10.

    When you think about vandalism, consider that even though the camera might be solid, somebody could still spray paint it, cover it, cut the cable connecting it to the network,  point it in a different direction, unscrew it from the wall, or damage the mount.

  • Integrated speaker/microphone.  A speaker or microphone might be helpful.

  • Internal storage (some cameras contain flash memory and can directly record video, negating the use of an NVR). 

  • Night vision and low-light viewing.  Night vision is always necessary.

  • Shape.  Cameras generally come in two shapes: bullets and domes.  A dome camera conceals the lens so that intruders don’t know where it is pointed.  Dome cameras are more common in retail stores.

    Bullet cameras provide more of a visual deterrent, and larger bullet cameras usually can accommodate lenses that provide a large optical zoom.

The camera video feed is recorded onto a network video recorder (a dedicated device or a computer with video recording software).  The NVR can connect directly to (and power) each camera.  In a larger, distributed installation, the cameras and the NVR might connect to the corporate network and have an independent VLAN.  If we have a massive amount of video to store, we may create a shared directory on a storage appliance and connect it to the NVR.

The organization must decide how many days (weeks/months) worth of video they require.  This affects the amount of storage space required (and then also the size of the NVR required).  The amount of space required depends upon the

  • Quantity of cameras

  • Video resolution of each camera

  • Frame rate of each video feed

  • Whether the camera records 24/7 or only when the camera detects motion

Some cameras have built in storage capacity so that they can record more data even when the NVR is offline.  Some cameras can be cloud managed, where they upload their video to the internet.  This can consume substantial network resources.  A network may not be capable of uploading all the video generated by the cameras.

It is important to post signs stating that the facility is subject to video surveillance.  People who enter the facility should be required to sign a waiver indicating that they consent to the video surveillance and recording.

If you do not, you could be subject to a privacy lawsuit.  In addition, the video that you collect may be considered inadmissible in a legal proceeding.

If the facility is large, we might monitor it with a drone.  A drone can see people on the ground even if they can’t see it.  A drone is useful for monitoring things like a long fence or a forest.

Logs

Logs are used in conjunction with physical security controls.  The logs allow access/access attempts to be audited.

The logs should identify

  • The identity of the person who accessed the resource

  • The date and time that it was accessed

  • The resource that was accessed

  • How the identity of the person was verified and how the entitlement was verified

Each time a visitor enters or leaves a building, their entry/exit should be logged.  Each time a person enters a server room or other controlled space, their presence should be logged.  A log may be written or electronic.

Infrared Detection

Infrared detection identifies individuals and other objects through the heat patterns that their bodies generate.  IR can be integrated into a surveillance camera or can part of a standalone sensor.  IR detectors are more useful at night.

Industrial Camouflage

Industrial Camouflage is where we hide what is inside a facility so that we don’t attract attention.

Most data centers are unmarked.  You can drive by many data centers and not realize what is inside because there are no signs outside that say it is a data center.

Many phone companies house their switching equipment in buildings that look like office towers.

Security Guards

A security guard is a human who provides security.  The security guards may be stationed in key areas, may walk around, or may drive patrol vehicles.

Proper training is important.  A security guard who is not vigilant will not be effective.  Security guards who use excessive force, are disrespectful, or are perceived to be incompetent, will cost the company money, introduce legal liability, and damage its reputation.

Security guards may be outsourced from a company like G4S or Guarda.  There is no good reason to outsource, except for cost.  When renting security guards, it is important to ensure that the security company sends the same people each time, so that they become familiar with the premises.  Many companies outsource security so that they do not have to risk legal liability if (when) a security guard acts inappropriately.

A larger organization may be able to better train an internal security force, even with as few as 50 security guards.

The security guard’s most important tool is his brain.  Security guards also have other tools like guns, handcuffs, batons, and pepper spray, depending on the state/province that they are in.  The organization must decide if it should risk the liability and cost of training to supply security guards with weapons.

Artificial intelligence is no substitute for a human brain.  It is important to ensure that the security guard is aware of his surroundings.  A security guard who is complacent may be worse than no security guard at all.  Security guards are human and can be manipulated through social engineering techniques.

In general, a security guard is not a law enforcement officer.  A security guard is entitled to

  • Enforce the law when seeing an actual commission of a crime on the organization’s property

  • Use reasonable force to protect himself or another human being from physical harm or death

  • Use reasonable force to protect the physical property of his organization

  • Detain an individual who the security guard knows has committed a felony (an indictable offense in Canada), and promptly turn him to a law enforcement agent

  • Use reasonable force to prevent a trespasser from entering a secured facility

Security guards may also have dogs that can detect for food, drugs, or explosives.  Like a weapon, the use of a dog can also subject the organization to serious legal liability.

A security guard also keeps track of visitors

  • Signs visitors in and out

  • Verifies that the visitors are legitimate

  • Ensures that visitors have been briefed on the organization’s security and safety policies and that they are wearing appropriate personal protective equipment (PPE), if required

  • Escorts visitors to the appropriate locations

If the office is small, the role of the security guard may be given to the receptionist.  The receptionist can sign visitors in and out, but she probably won’t be able to tackle an intruder.  Since many people are working from home, the receptionist’s role can be outsourced to a robot.

When an area is critical, we might always have two people guarding the security desk.  This prevents a crooked security guard working alone from colluding with an intruder.

Locks

There are many types of locks.  Locks can be three things

  • Mechanical Key lock.  The mechanical key lock is used when there are only a limited number of keys required (such as a person’s office) and where it is not practical (or too expensive) to install electrical/network cabling and components for an electronic lock.  The mechanical lock is excellent for this. 

    The disadvantage is that the mechanical lock requires physically creating keys for each user.  If an individual loses a key or it is stolen, then the lock must be physically rekeyed.  All users must then receive new keys corresponding to the lock.

    A set of locks can be keyed with individual user keys and with a master key that opens all the locks.  If the master key is lost, then all the locks must be rekeyed.
     
  • Combination lock.  The combination lock is for low security but where there are multiple users.  The combination can be changed in the lock.  A combination lock may be electronic or mechanical.  Combination locks are frequently installed in lunchrooms and staffrooms.

  • Electronic lock.  The electronic lock is most important because it allows multiple people to access the system, and has the following features

    • Restrict access based on time of day

    • Restrict access based on location

    • Allow a user to access multiple doors and locations with a single key card

    • Use the key card in combination with multi-factor authentication

    • If the key card is lost or stolen it can be disabled without having to rekey the locks

In a mechanical key lock, there are two ways in

  • It can be broken.  The thief who is willing to break the lock is one who does not care if the entry is later detected (somebody who is stealing something like money).  The thief will break whatever is weakest – a nearby window, the door, or the lock.  Therefore, it is important to make sure that the building is physically secure, not just the lock.  The lock must be physically secure in that it cannot be broken or drilled.

    Many mechanical locks exist for bicycles and laptops.  These locks can be easily cut or broken.  They prevent only the most casual of thefts, and it is better to ensure that these items are never left unattended.

  • It can be picked.  The thief who wants to pick the lock is more sophisticated and does not want to be detected (somebody who is stealing data or planting a listening device/spyware).  Some locks can be bypassed due to poor design.  Otherwise, they can be broken or picked depending on how they are designed.

    What I learned from the Lock Picking Lawyer (on YouTube) is that every lock can be picked.  The question is, how long will it take?  The longer it takes to pick a lock, the more time there is to catch the intruder.  If we combine a lock with a motion sensor or security camera that is being actively monitored, then it is less likely that an intruder will gain access.  This is what we mean when we say that security comes in layers.

An electronic lock cannot be picked, but some can be bypassed

  • Hacking into the electronic system that manages the lock, and commanding it to open the door

  • Creating a replica of a valid key card and using it to gain access

  • Using a magnet to unlatch the door (some electronic door locks contain magnets that are easily bypassed)

Cable Locks

A cable lock is a lock that secures a computer or other hardware to a desk or other physical furniture.  Most computers, monitors, and docking stations have ports that accommodate a cable lock.  The cable lock is inserted into the port, wrapped around a physical piece of furniture (such as table leg), and then locked. 

A cable lock can be easily cut with a bolt cutter, and only provides protection against casual theft.  Some cable locks are alarmed and will trigger an alert when cut.

There are also locks that can alarm when the computer is moved.  An example is a mount for an iPad, which has sensors that alert when the mount is lifted.

Safe

A safe protects valuables against fire and intruders.  The safe can be opened with

  • A numeric combination

  • A key

  • A key and a numeric combination

Safes come in many sizes.  The larger safes are called vaults.  The safe can also be connected to an alarm, which can be triggered if the safe is opened.  Many jewelry stores have two separate alarm sensors connected to their safes (and possibly two separate alarm systems provided by different vendors).  This eliminates a single point of failure in the alarm system.

The safe is subject to

  • Fire.  It is important to choose a safe that is rated to withstand at least one hour of fire. 

  • Physical removal.  Thieves will first attempt to steal the entire safe and crack it later.  It is important to bolt the safe down to the ground so that it cannot be stolen.

  • Damage.  Thieves will try to break through the safe.  On many safes, it is difficult to pry open the door with a crowbar, but it is easy to cut through the side walls.  Many safe manufacturers put a lot of effort into reinforcing the door, but very little effort in reinforcing the walls.

  • Cracking.  Many safes are flawed in their design, either through poor design or gaps in the door.  Some safes can be cracked by inserting a magnet or small pry bar tool inside this gap.  It is important to choose a safe that cannot be cracked easily.

Secure Cabinets/Enclosures

A secure cabinet/enclosure can hold items or documents.  It is not as secure as a safe but can protect against unauthorized access.  Secure cabinets are designed to protect large volumes of documents.

Protected Distribution/Protected Cabling

Protected distribution ensures that the network cables are physically secure.  An intruder could physically penetrate a data cable and hijack a connection such as a camera or a printer.  This is an unlikely scenario, but still possible.

Cables should be protected against damage.  They should be installed inside conduit and cable trays.

It is important to physically secure devices such as cameras and wireless access points (which can be hidden inside the ceiling space). 

It is also important to not patch in cables that are not in use.

Lighting

Proper lighting is important for

  • Physical safety of people walking.  Hazards can be illuminated.  It is important to provide bright lights on all entrances and walkways

  • Making things visible.  Intruders and criminals are more tempted to access buildings at night.

  • Emergencies.  Emergency lighting is necessary and may be required under various building codes.  Emergency lighting is battery-operated and activates in the event of a power outage.  It ensures that people can always see their way out.  Bad people can hide in dark corners and then sneak into the building or mug people walking by.

Smart Card Authentication

A Smart Card is a credit card sized device with a microchip.  The smart card can hold a certificate issued by the organization.  The certificate is associated with the user account.

How does it work?  Typically, the user inserts his smart card into the smart card port on his laptop or desktop computer (you can purchase a keyboard with an integrated smart card reader).  The Smart Card then presents its certificate to the server, and the user is authenticated.  Authentication may take place with the following credentials

  • Smart Card alone identifies and authenticates the user
  • Smart Card and PIN entered by user
  • Smart Card and username entered by user
  • Smart Card, username, and password entered by user

Biometrics

Physical access control can be combined with biometric factors to improve security.  Biometrics are better because a physical access card can be lost or stolen, in which case, an unauthorized user can use it to gain access.

A biometric device takes a photograph of a human bodily attribute (or generates a sound file) and then converts it into a mathematical model.  For example, a fingerprint reader might understand the bumps and ridges on a fingerprint and compares their relative sizes.  There are many different algorithms that each biometric device can use, and each one is different.

A biometric reader does not (and cannot) create a pixel-by-pixel comparison of a person.  Imagine taking a photograph of your face 100 times.  Each photo will be slightly different.  The lighting, the reflection, the angle of your head, and the position of your hair will be slightly different each time.  That is why we must use a mathematical model to obtain an approximation.  That is also why you must scan your fingerprint multiple times when you first register it.  The device must view and analyse your fingerprint from multiple angles to obtain a clear idea of what it looks like.

Biometrics are not perfect.  Most biometrics have a false positive because of the algorithm.  The false positive rate in a fingerprint reader is approximately 1 in 50,000.  It varies from device type to device type.  That is why many phones lock after several invalid fingerprint scans but continue to be unlocked with a password.

There are different types of biometric errors.  We may be able to adjust the sensitivity of a biometric device to allow more errors of one type or another.

  • False Acceptance Rate.  A false acceptance is when an invalid user is authenticated.  If the false acceptance rate is increased, more legitimate users will be accepted, but many unauthorized users will also be accepted.  If too many legitimate users are being rejected, we might want to increase the False Acceptance Rate.

  • False Rejection Rate.  A false rejection is when a valid user is rejected.  If the false rejection rate is increased, more unauthorized users will be rejected, but many more authorized users will also be rejected.

  • Crossover Error Rate.  The Crossover Error Rate is when the False Acceptance Rate and the False Rejection Rate are equal.  An administrator can adjust the system’s rejection threshold so that the two rates are equal.  At the Crossover Error Rate, the system operates efficiently.

Some types of biometrics

  • Fingerprints

    • A fingerprint scanner maps a person’s fingerprint and converts it into a mathematical signature.  This signature is stored.

    • It later compares new scans to the original mathematical signature.

    • Advanced fingerprint scanners can verify that a real finger has been scanned (as opposed to a mold of a finger)

    • Each time the user scans his fingerprint, advanced scanners can “learn” more about the fingerprint and update their model.

    • Fingerprint scanners are cheaper than other biometric sensors

    • Fingerprint sensors are integrated into many smartphones

    • There are limitations because we can’t authenticate people who are missing fingers

  • Retinal Scan

    • A retinal scan uses a laser to examine the blood vessels in the back of the eye.  No two people have the same retinal pattern.

    • Retinal scans are unpopular because they require a user to have a laser shined into his eye; the user must also put his eye up against the sensor

  • Iris
  • An iris scan photographs the front of the eye from a distance.  No two people have the same iris scan.  The scanner develops a mathematical model of the patterns in the iris.

    • If we look at a photograph of a human iris, we can see patterns created by melanin pigments.  No two people have the same pattern.


    • Iris scanners are more popular than retinal scanners and are considered the best biometric.  Why?

      • A fingerprint gets worn out over the years, especially in people who use their hands for work.  That makes it more difficult to read fingerprints in older people.  The iris is well protected by the cornea and the eyelid, so that it does not wear out.  The iris continues to appear the same after many decades.

      • The shape of the iris is predictable.  It is usually circular and flat.  That makes it better than facial recognition because faces come in many shapes.

      • Most of the iris recognition devices use an algorithm called IrisCode.  IrisCode is so good that even if an iris scan has only a 74% match to the original, it can be declared a match.  That means that any two irises in the world differ by at least 26%.

      • The iris sensor can work in low light conditions.  It can identify a person who is wearing sunglasses and standing in a dark room.

      • A person can scan his iris without touching anything, unlike a fingerprint reader.


  • Voice Recognition

    • Voice recognition measures traits in your voice such as accents, pauses, tone, and volume to identify you.

    • The voice recognition may require you to repeat the same phrase each time, or you may be permitted to say anything you want.

    • Voice recognition is difficult to implement, but the technology is improving.

    • Some banks and phone companies are using voice recognition to authenticate customers over the phone.

    • Voice recognition sensors have a high rate of false positives and false negatives

  • Facial Recognition

    • Facial recognition scans features that are present on the user’s face.  A facial recognition algorithm might analyse the size, shape, and/or location of a person’s lips, eyes, and/or nose.

    • The software must be able to separate the face from its background.  It must also be able to filter items such as glasses.

    • Facial recognition may function in 2D or in 3D.

    • Facial recognition is integrated into many newer smart phones and computers.  It does not require specialized hardware, only software and a camera.  Facial recognition in computers and smart phones has a much higher error rate than that of dedicated hardware.

    • Facial recognition is integrated into many surveillance camera software applications, especially those used by law enforcement.  It can be linked to crawlers that analyse social media posts to positively identify a person.

    • Some American cities have banned the use of facial recognition by law enforcement.

    • Facial recognition systems work well

  • Vein

    • Vein biometrics uses a scanner to view the vein pattern in a person’s hand.  The device shines a near-infrared light-emitting diode at a person’s hand and views the image.

    • The technology is still under development.

  • Gait Analysis

    • Gait Analysis identifies a person by the way that he walks

    • The science of gait analysis is still under development, and it is not clear how accurate it is

    • One benefit (limitation) of gait analysis is that we can use a camera to identify people without their consent or knowledge

Magnetometer & X-Ray Machine

We might want to screen employees and visitors on their way in and out.  We screen people on their way in to make sure they do not bring weapons or unauthorized electronics.  We screen people on their way out to make sure they did not steal any assets or data.

Logical Security

Physical security is only the first layer in a multi-layer security scheme.  The second set of security principles involves software and policies.  It includes

  • Least Privilege.  We should assign each employee only the minimum privileges that he requires to do his job.  That could include

    • Only access the shared files in his department or role

    • Only access programs that are in use by his department or role

    • Only access offices or buildings that he needs to perform his work and during the time that he is scheduled to work

    • Only access tools, vehicles, and equipment that are required for him to do his job

  • Access Control Lists.  There are different models for access control in an organization.  The specific control chosen depends on the needs of the organization, the type of data being protected, and the type of users.  An organization may implement multiple access control models.

Access Control permissions usually relate to being able to read, write, delete, and/or modify a file, and list contents of a folder.  Additional, more extensive permissions, can apply to a database (such as the ability to read, write, delete, or modify entries in a database, create tables in a database, or create users in the database).

The permissions can apply to the entire system or granularly to specific files.

  • Multifactor authentication (formally two-factor authentication) is important.  The three main factors are Something You Are, Something You Have, and Something You Know.  Basic authentication methods combine Something You Have (a username/access card) with either Something You Know (a password) or Something You Are (biometric).
  • Something You Are – something you are refers to a biometric identity such as facial recognition, fingerprints, voice recognition, or a retinal scan.  Select the best type of biometric for your environment.

    • Something You Have – something you have refers to a smartcard, identification card, or username; it could also refer to a randomly generated password (such as an RSA SecurID or authenticator app)

    • Something You Know – something you know refers to a password or PIN

    • Somewhere You Are – somewhere you are refers to your physical location.  In the case of connecting to the internet, somewhere you are is your IP address. 

      If a hacker compromises a username/password and logs in through a computer or network location that is not recognized, then the login may be denied.  Websites have sophisticated ways of detecting users – IP address, web browser version, computer version, date/time of the login, other user behaviors.  If the username/login is correct, but the other factors aren’t, it could be that the account was compromised, or it could be that the user is travelling/bought a new computer.  The site can ask the user for additional verification (such as through an automated phone call).

    • Something You Do – something you do is an observation of the user’s actions or behaviors.  In Windows a user can choose a picture password; in an Android phone the user can interact with a pattern.

    • Something You Exhibit – something you exhibit is a personality trait.  This is not very reliable.

    • Someone You Know – someone you know means that another person in your organization can verify your identity.  If you forgot your identification card at home, then security might give you a temporary pass if another employee verifies that you are who you say you are.

  • Software Token/Authenticator Application.  A software token is an app that generates a password (typically a six-digit code).  A new code is regenerated every 30 or 60 seconds.  The software token syncs with the login server.  When a user logs in, they must enter their username, password, and the code shown on the token.  The token prevents unauthorized users from logging in, even if they have the correct username and password, because they won’t be able to guess the current token code.

  • Hardware Token.  A hardware token is just like the software token, but in a physical format like one that can fit on a keychain.

  • Short Message Service (SMS).  If a user doesn’t have a token, then the server can send them a code via text message.  The user must enter the correct code to log in (in addition to the username and password).

    SMS is not a good authentication method because SMS is not a secure method of communication.  A good hacker who already has your username and password can probably gain access to your SMS messages.
     
  • Voice Call.  If the user does not have access to a token or SMS messaging, then the server can send them a code via a voice call.

Mobile Device Management (MDM)

One way that we can ensure our mobile devices are secure is through MDM or Mobile Device Management.  Some of the things that MDM can enforce

  • Application Management.  We can restrict the types of applications that a user can install.  We can also force the phone to download and install specific applications, prevent a user from installing any new applications, or prevent a user from uninstalling any existing applications.

  • Content Management.  We can control the type of data stored on the phone and we can set policies based on the type of data.

  • Remote Wipe.  If the phone is lost or stolen, then we can erase it.  The server sends the phone a signal to wipe it.  If the phone is not connected to a network (if it is turned off, or if the thief has disconnected the network), then the remote wipe command will not reach the phone.

  • Geofencing.  We can restrict the geographic areas where the phone can function.

  • Geolocation.  We can track the physical location of the phone.

  • Screen Locks.  We can force the phone to lock after a period of inactivity.

  • Push Notifications.  We can send notifications to the phone.

  • Passwords and PINs.  We can force the user to set a password and/or PIN, and we can enforce password complexity.

  • Biometrics.  We can force the user to set a biometric lock on the phone.

  • Context-Aware Authentication.  Context-aware authentication uses artificial intelligence to predict whether a user is legitimate or malicious.  If the system believes that the user is legitimate, then the authentication gives the use access.  If the system suspects that the user is malicious, it might request an additional form of authentication (2FA).

  • Containerization.  We can separate business applications from personal applications so that they do not share data.

  • Storage Segmentation.  We can separate business data from personal data.

  • Full Device Encryption.  We can force the phone to encrypt its entire contents.  This is a standard feature on most Android and Apple phones.


Mobile Devices

Some components that keep mobile devices secure

  • MicroSD Hardware Security Module (HSM).  A MicroSD HSM is a Smart Card that is in the shape of a MicroSD card.  We can insert the MicroSD card into our Android phone and now we have access to our security keys.

  • MDM/Unified Endpoint Management (UEM).  UEM is an application that allows us to enroll, provision, and secure end user devices.  We first create a template that includes configuration, device names, and applications.  Then we enroll the end user devices.  The UEM automatically pushes the necessary configuration onto the devices.

    For example, we might configure the devices to download the Microsoft Outlook App, have a password of at least ten characters, and encrypt all the data.  Anytime we enroll a new smartphone, UEM automatically forces that phone to install the Microsoft Outlook App, enforces a password, and encrypts the device data.

  • Mobile Application Management (MAM).  MAM takes MDM a step further by allowing an administrator to configure specific application settings.

    An example of MAM is Microsoft Intune.  Some of its features

    • Automatically install apps on a user device

    • Configure installed apps

    • Encrypt company data in installed apps

    • Erase company data in installed apps.  That means that a user can use the same app for business and personal, and keep the data separated.

    • Update apps

    • Install proprietary apps (company-created apps that are not in the app store)

  • SEAndroid.  Also known as Security Enhanced Android or Security Enhanced Linux in Android or SELinux.  SELinux is a tool that allows an administrator to lock down a mobile Android device.  This protects the device and the user from malicious applications that exploit security holes.

    SELinux can do one of two things – deny an app any action that is not explicitly permitted (enforcing mode), or simply log any action that is not explicitly permitted but permit it anyways (permissive mode).  In permissive mode, we can review the logs to later determine whether specific actions should be prohibited.



Some Ideas About Active Directory

Active Directory is a system developed by Microsoft for centrally managing user accounts and devices.  We can use Active Directory to improve the security of our devices.  Some ways that we can structure Active Directory include

  • Login Script – a login script is a script that automatically runs when a user logs in (it could perform tasks such as mapping network drives, setting a default printer, or running specific programs)

  • Domain – a domain authenticates users and ensures that they have permission to log in.  Each Active Directory device and user must be a member of a domain.

  • Group Policy/Updates – group policy controls what a user can and can’t do.  For example, group policy can block access to specific programs, force a computer to connect to a specific Wi-Fi network, or prohibit users from installing applications. 

    We can assign a user to one or more Security Groups, and we can assign policies to each group.  A user will inherit the policies assigned to the groups that they are in.

  • Organizational Units – device and users can be assigned to organizational units.  For example, an organization may have Accounting, Engineering, Management, and HR, each of which has different permissions and settings.

  • Home Folder – a home folder contains the user’s personal files (Documents, Desktop, Music, Photos, and Videos).  Some policies prevent users from saving files anywhere except in the home folder.  A user can only access files in his own home folder. 

    Because Active Directory has centralized logins, a user can log in to any computer that is connected to the Active Directory domain.  A user’s home folder does not move from computer to computer – if a user logs in to multiple computers, each one will create a home folder for that user, and they will not sync. 

    An administrator can configure Active Directory to map users’ home folders to a server.  In that case, a user will see the same files in their home folder regardless of which computer they log in to.  However, they will require a network connection to view or modify any files.  This is known as Folder Redirection.