ITS 4210 - Access Control, Authentication, and PKI

Chapter 9, Physical Security and Access Control

Objectives:

This lesson discusses physical security issues. Objectives important to this lesson:

  1. What is physical security
  2. Designing a physical security plan
  3. Physiological and biometric controls
  4. Outsourcing physical security

Concepts:

Chapter 9

Designing a Plan
Perimeter security is concerned with placing a boundary around some area, whether it is a room, a building, a complex, or a larger site. A basic concern for any room is a door with a lock, assuming that there are walls that prevent access other than by the door. For a larger area, we might start with a fence and locked or guarded gates.

Yew treesThe text mentions landscaping, which many of us would ignore. It is better not to ignore it. Lovely trees that someone decides to plant around our fence may provide a route over that fence. The text suggests that plants with strong thorns would be a better deterrent.

I had the pleasure once of visiting a facility that took a different approach. There was no sign outside the building, no number on it, and no indication that it was a secure facility. The perimeter was fenced, and gated, and the gate was operated remotely by a guard who you called on an intercom. The fence was surrounded by tall slender yews, which blocked the view of the perimeter from the street. The trees were frail enough that no one could climb them. Yes, they made it difficult for people inside to watch what was happening outside the building. However, the intention was to block the view of the building from outsiders, and to draw no attention. Huge trees with nasty thorns are unusual and they might draw the attention of someone with an eye for what looks odd. Yews are just nice landscaping. A good way to keep a secret is to never hint that the secret even exists. That building's perimeter followed that logic.

Visibility is what you think about when you plan lighting and surveillance cameras. Sometimes you need more lights because something you can't remove casts a shadow. Sometimes you need another camera, because you can't see through or around that thing the way it is. Your surveillance system needs to cover what your guards need to see even if they do walk around the interior or the grounds. They cannot be everywhere at once, unless you have lots of guards.

The text mentions that tracking who enters and who leaves a location are equally important. This is easier in a well run installation, where you use the same protocols to enter and to leave. In most locations, people are in more of a hurry to leave. The text suggests that keeping video records of people entering and exiting can provide a post-event record if you can live without a live stream of information. Sometimes, the exit of a person is the more important event, such as the provided example of a day care center, as well as in some hospitals and most prisons. The text warns us that exit points must be watched carefully in such cases. It should observe that we should watch known exit points, and be watchful for exits that those seeking them may discover.

If you want to allow foot traffic, but restrict the approach of vehicles, you should consider the text's recommendation to use bollards. You may not know the word, but you have probably seen these posts in parking lots or outside buildings. Follow this link to a web page that defines them as being available in several types: visual guides, physical barriers, flexible, and decorative. The text is most concerned with the physical barrier type, which may simply be a painted concrete and steel post, or it may have a decorative cover to make it look less like a barrier. Some locations that require frequent traffic with the need for restriction in emergencies may lead us to install bollards that are retractable.

The text continues with a discussion of physical access controls inside buildings. The text recommends that guards and cameras should be made visible in general work areas, to act as deterrents to unwanted behavior. Barriers between general work areas and sensitive areas should be clearly defined. The text mentions banks as a commonly available example of businesses with areas for the general public, and areas that are for staff only. Banks often have high counters, gates, security barriers, guards, and bullet resistant glass or plastic barriers between staff and customers. Data centers do not generally provide service to the public, but is not uncommon to have a data center share a building with another service from your company that does invite customer traffic. When this is the case, there must be controls to prevent access by people who should not have access.

On page 182, you will see a list of five classifications for government buildings, based on floor space, number of employees, amount of contact with the public, and shared space with other agencies. Note that the list is flawed. As we go from level I to level V, every one of the parameters increases, which will not always be accurate. We may need to increase one or two parameters, but not the others, which causes the list to fail to apply to all situations. Let's recognize this concept, but move on to the next one.

The text discusses data centers in a few paragraphs that give "dark" data centers more words than they need. You will not work in a dark center, because such locations are run remotely or by automated devices. You should be more concerned with data centers that employ staff if you are planning to work in one.

On page 183, the topic changes to authentication, specifically biometric authentication. We are reminded that biometrics include something you are and something you can do. The discussion starts with physical characteristics. In a way, this method works like a password, in that a user provides information for authentication, which is compared to data previously saved on the system.

  • The text refers to the process of sampling and saving the reference data as enrollment. A user must be enrolled in the system before that user can be authenticated by it.
  • Once a user has been enrolled, that user can authenticate with biometric data. The process of providing this data to a scanner to gain access is called identification.
Physiological and Biometric Controls

The text discusses several physical characteristics that are used for enrollment and identification. It reminds us that some of these characteristics change a lot between childhood and adulthood.

  • Fingerprints are characteristics that do not change with age. Two aspect of fingerprints are scanned for identification:
    • Ridges - the raised parts of a fingerprint that form its pattern of lines, called loops, whorls, and arches
    • Valleys - the lower areas between the ridges
      These characteristics may be compared to a reference photo of your fingerprint, or they may be compared to a capacitance pattern. Ridges contact a capacitance scanning device, valleys do not, which makes it possible to scan the fingerprint in this way on a sufficiently dense scanner. Capacitance scanning on some smart phones is a possibility.


      Matching with the reference data may be done on the pattern of the fingerprint, or the pattern of the minutiae. Minutiae are locations in a fingerprint where a ridge changes, such as branching into two ridges, stopping at a dead end, or joining another ridge.
  • Retina scans examine the inside, rear surface of your eye. This is the surface that receives and interprets light. The idea is to shine a light into your eye, and take a picture of the pattern of blood vessels in that area which is believed to be a unique pattern for each person. Eye surgery can affect this area, so it is not foolproof.
  • Iris scans examine the part of the eye that is usually blue, brown, green, or other such colors. The pattern of the muscle in this area can be scanned and matched. The text tells us this is less likely to be affected by eye surgery, glasses, or contact lenses than a retinal scan.
  • Hand geometry does what it sounds like: it measures the shape of a person's hand, and may measure the ridges on that hand as well. It occurs to me that changes in a hand are more likely with age, injury, and arthritis than changes in fingerprints or eyes would be.
  • Facial recognition scans the shape and location of a person's facial features. The location of a feature is measured in relation to other features, such as the distance of the eyes from each other. As usual, these measurements are compared to saved reference data.

The text moves on to behavioral recognition, the other type of biometric measurement. Several variations are discussed on pages 185 and 186.

  • Typing is something people tend to do the same way each time, given a similar console. Measurement is usually done on typing a known phrase or typing your password. Your typing rhythm is different when you are on a real keyboard from when you are trying to type on a smart phone, but if measurements are taken on the same kind of equipment each time, there can be a reliable consistency. Note that the text address the length of time keys are depressed and the time between keystrokes. This assumes a standard keyboard, either rigged for measurement or connected to software that is taking measurements. The text warns us that this measurement has a high rate of false negatives, deciding that the typist is not really the user in question. As you might imagine, there are many problems that could change the way a person types.
  • Signature analysis does not measure the shape of a signature. It measures the speed and pressure a person uses to write each letter, which means it must be done on a pad that can measure that, like most art pads. Like the typing measurement, it relies on the user being able to enter the data in the same way each time.
  • Voice recognition involves having the user speak a set phrase into a microphone, and relies on the physical shape of the user's mouth and larynx to produce sounds that have unique wave properties.

The text changes topics to discuss problems with all of these techniques. One is lack of user acceptance, which may be from lack of familiarity, or from fear of the technology being used, such as the one that scans a retina. Others have to do with the techniques themselves:

  • False acceptance - This can also be called a false positive or a Type II error. It means that the system accepts someone as a known user who is not a known user. The text explains that this can be caused by too little sensitivity in the scanner, which could cause an iris scanner to see all users blue-eyed scans as belonging to a known user with blue eyes.
  • False rejection - This can also be called a false negative or a Type I error. It means that an enrolled user is not recognized. The text offers an example of a fingerprint scanner rejecting a user because there is something on the user's finger obscuring it. This could happen on a capacitance scanner if something on the finger changed its electrical properties, like a conductive fluid.
  • Crossover Error Rate (CER) - Now for the really good news: all of these systems produce Type I and Type II errors. We can reduce the rate of either type, but that will increase the rate of the other type. The image on page 187 shows both error rates plotted on a graph's vertical axis, and the sensitivity of the system plotted on the graph's horizontal axis. More sensitivity give us more type I errors. Less sensitivity gives us more Type II errors. Users don't like Type I errors, and security staff don't like Type II errors. The Crossover Error Rate is the point on that graph where the rates of the two kinds of errors are equal. Note that the graph in the text is pretty symmetrical. This is not always the case: actual system performance may be skewed toward one side or the other for the CER. In any case, the CER rate gives us a way to measure a system on two scales at once.
  • Failure to enroll rate - This sounds like a fault of the user, but it is not. The failure in this case is the failure of the system to save a sample data set for a user. The total number of such failures divided by the total number of attempts to save enrollment information is the Failure to Enroll Rate.
  • Failure to capture rate - This refers to a failure of the system to create a useful data set for a user, such as not being able to scan the user's face due to a lens problem. The number of such failures divided by the total number of attempts to create enrollment information is the Failure to Capture Rate.
The text continues with some material that discusses what characteristics make good choices for biometrics. As it has already discussed, the characteristic being measured must be something that all users have, that is unique to each user, that will not change over time, and that can be scanned quickly enough to operate an automated entry system. The section is repetitive, so we will move on.

On pages 192 and 193, the text changes topics to discuss technological access control systems. It is a short list, so let's consider the items on it. This article on Wikipedia discusses some of the same physical locks.

  • pin tumbler lockWarded locks use wards which, we are told, are permanent projections inside a key operated lock that prevent a key from turning unless it is cut so that it avoids the wards. This sort of lock is the simplest one in the list and it can be picked easily, even with a thin key cut to miss most wards.
  • Tumbler locks are more common, and harder to pick because they require the key to push several pins, that are attached to springs, up to different correct heights. When the two-part pins are in the right position, each will allow the cylinder of the lock to turn. The picture on the right shows this kind of lock.
  • Combination locks - The combination locks most of us have used operate on a different system that makes them much harder to pick. Wheels inside the lock must align to make it possible to open the lock. The text warns us that electronic versions of these locks do not work the same way. They are really just password systems that use a number as the password.
  • Cipher locks - You can run a Google search on this kind of lock to see that there are many styles. The typically have several buttons that can stand for numbers or letters, and they can be set to open to most any combination of key presses that the user wants. The text explains that they can also work with swipe cards and with biometric sensors.

Image of a SecurID deviceA more interesting concept is in the middle of page 183, about fobs and tokens. Typically a fob may also be called a hard token, and I showed you a photo of one back in the notes for the first chapter. The text refers to the physical device as the fob and to the number it generates and displays as the token. This is also correct. This system can also be implemented in software on a computer, but the same concept is used: a one time only password is generated for an account, usually once a minute, on a device the user has and on a device on the periphery of a network that authenticates users. Different users have different passwords, so having one person's fob will not let you in as someone else.

Outsourcing

The chapter ends its new material with some thoughts about outsourcing physical security. Like other security issues, it may be best to outsource when your company is not big enough or experienced enough to do it right. It is also possible that the text is correct when it says that a guard from an outside company may have an easier time being strict about rules than one who works directly for your company. This may not be the case, but it is possible. The text offers a list of criteria that should be part of your evaluation process for an external security vendor on pages 194 and 195. You should review this list, and think about what else belongs on it.

 

Assignments

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module