This lesson presents material from chapter 4. Objectives important
to this lesson:
Equipment controls
Area controls
Facility controls
Personal safety controls
Physical access controls
Avoiding physical security threats
Defense in depth
Concepts:
Chapter 4
The chapter begins with a list of controls that are typically used to
control access to hardware:
passwords for workstations and networks
passwords for screen savers (that lock the computer) and for session
controls
encrypted data on storage devices
security controls for other devices that attach to networks: e.g.
printers, fax machines, scanners, IP based phone systems
The text elaborates on the idea of encrypting all storage devices, making
the argument that encryption requires more work from the processor that
will process data to and from the device. This is true, but it only means
that we need to buy better processors when we think about security. It
also tells us that there may be no need for encryption if the storage
devices (typically HDDs or SSDs) never leave a physically secure area.
That is a pretty big "if". I know of instances in which entire
rooms full of computers were stolen by merely competent thieves, which
led to policies about all hard drives having to be encrypted.
The text warns us specifically about thumb drives (a.k.a. flash
drives, memory sticks, key memory, etc.), which pose two risks.
Our own flash drives can easily be misplaced or stolen, so encryption
of data is the best policy. Drives belonging to an attacker may be left
for our staff to find, and autorun programs can begin an attack on our
systems upon insertion in a computer.
When storage devices are retired, it is best to remove all data from
them. The text lists three common methods, including various kinds of
data wiping, overwriting all bits with zeroes (zeroization),
and degaussing (removing all magnetic images on a disk). The text
also mentions that these methods are not always successful, but total
destruction of the device is. In the same section, the text mentions
that optical storage (CDs, DVDs, etc.) should be destroyed instead of
being put in a trash bin.
On page 84, the text turns to physical area controls. The text warns
us that an attacker who has physical access to a computer may be able
to boot it with a flash drive, defeating the controls that are part of
the device's intended operating system. As such, we need to consider physical
area controls which are concerned with placing a boundary
around some area, whether it is a room, a building, a complex, or a larger
site. A basic concern for any room is a door
with a lock, assuming that there
are walls that prevent access
other than by the door. For a larger area, we might start with a fence
and locked or guarded
gates.
We
should also consider landscaping, which many of us would ignore. It is
better not to ignore it. Lovely trees that someone decides to plant around
our fence may provide a route
over that fence. Another text suggests that plants with strong thorns
would be a better deterrent.
I had the pleasure once of visiting a facility that took a different
approach. There was no sign outside
the building, no number on it,
and no indication that was a secure facility. The perimeter was fenced,
and gated, and the gate was operated
remotely by a guard. The fence was surrounded by tall slender yews,
which blocked the view of the perimeter from both sides. They were also
frail enough that no one could climb them. Yes, they made it difficult
for people inside to watch what was happening outside the fence that surrounded
the building. However, the intention was to block the view of the building
from outsiders, and to draw no attention. Huge trees with nasty thorns
are unusual and they might draw the attention of someone with an eye for
what looks odd. Yews are just nice landscaping. A good way to keep a secret
is to never hint that the secret even exists. That perimeter followed
that logic. Sometimes, the secret is no longer a secret, in which case
the mesh density chart on page 86 may apply. Remember, however, that a
tall, very secure looking fence can be a map marker to an attacker instead
of a deterrent.
The text does not discuss visibility, which is what you think about when
you plan lighting and surveillance
cameras. Sometimes you need more lights because something you can't
remove casts a shadow. Sometimes you need another camera, because you
can't see through or around that thing the way it is. Your surveillance
system needs to cover what your guards need to see even if they do walk
around the interior or the grounds. They cannot be everywhere at once,
unless you have lots of guards.
The text mentions that tracking who enters and who leaves
a location are equally important. This is easier in a well run installation,
where you use the same protocols to enter and to leave. In most locations,
people are in more of a hurry to leave. The text suggests that keeping
video records of people entering and exiting can provide a post-event
record if you can live without a live stream of information. Sometimes,
the exit of a person is the more important event, such as
the provided example of a day care center, as well as in some hospitals
and most prisons. The text warns us that exit points must be watched
carefully in such cases. It should observe that we should watch known
exit points, and be watchful for exits that those seeking them may discover.
If you want to allow foot traffic, but restrict the approach of vehicles,
you should consider the text's recommendation to use bollards.
You may not know the word, but you have probably seen these posts in parking
lots or outside buildings. Follow this
link to a web page that defines them as being available in several
types: visual guides, physical barriers, flexible, and decorative. The
text is most concerned with the physical barrier type, which may simply
be a painted concrete and steel post, or it may have a decorative cover
to make it look less like a barrier. Some locations that require frequent
traffic with the need for restriction in emergencies may lead us to install
bollards that are retractable.
The text continues with a discussion of physical access controls inside
buildings. The text recommends that guards and cameras should
be made visible in general work areas, to act as deterrents to unwanted
behavior. Barriers between general work areas and sensitive areas
should be clearly defined. The text mentions banks as a common
example of businesses with areas for the general public, and areas that
are for staff only. Banks often have high counters, gates, security barriers,
guards, and bullet resistant glass or plastic barriers between staff and
customers. Data centers do not generally provide service to the public,
but is not uncommon to have a data center share a building with another
service from your company that does invite customer traffic. When this
is the case, there must be controls to prevent access by people who should
not have access.
Consider this list of lists major physical controls, which are full or
partial solutions to making a location a secure facility.
walls,
fences, and gates - obvious barriers make it clear to people
that they are not allowed to walk beyond a certain point; gates are
obvious points of access, but they are also filter points if you require
staff to show permission to pass through them; these apply to external
and internal environments
guards - putting a guard on
a gate, a door, or an asset allows you to set rules for passage and
usage that can be interpreted by a human being or referred to an authorizing
level of management
dogs - guard dogs should probably
appear as a subset of guards, whether they are working with handlers
or left to patrol a sealed environment; a dog can sense things (noises,
aromas) that a human guard cannot
ID cards (badges) - can be
just a token or a photo ID, and may have a magnetic stripe, a computer
chip, or an RFID; ID cards are both a proof of authorization and a problem:
they need to be collected when
an employee leaves their job, regardless of who decided they were leaving;
tailgating is the practice of
passing through a door that senses an authorization code by following
someone who actually has authorization when you a) forgot
yours, b) decided to be lazy,
or c) are not authorized; it
is the last variation we worry about, so some secure centers require
that everyone passing a control point show their badge to the sensor
to count heads; the text mentions the use of ID operated turnstiles,
which are effective in metering traffic (see below)
doors - doors come in various designs and strengths; the text
mentions several varieties and explains that the door is only one component
of a doorway, which also depends on the doorframe, the surrounding
walls, the floor, and the ceiling above it
locks - as indicated above,
some locks are opened with credentials;
some locks require a key, and
others require the intervention
of an operator (e.g. guard, receptionist); there are also biometric
locks
Two terms you will encounter about locks need an explanation. They have
to do with electronic lock failure. A door that stays
locked if the electronic lock fails has a fail-secure
lock. A door that becomes unlocked
if the electronic lock fails has a fail-safe
lock. Since safe and
secure are usually synonyms,
this makes no sense. You just have to know which is which, so you do
not expect the wrong behavior from your devices when there is a power
failure.
mantraps - a vestibule or
airlock with two doors that both
lock if someone tries to pass through the second door to a secure area
and fails; the idea is to alert security to a possible intrusion while
containing the intruder
turnstiles - a common device used in multiples in locations
where many people need authenticated access to a site at the same time;
the text mentions their use in subway stations (see the image on the
right) and theme parks where the user deposits a token or scans a magnetic
card or an RFID badge to operate the turnstile
video monitoring - allows
recording of events, also allows fewer guards to watch over more areas
by watching several screens at once; this typically adds a delay to
response time, and may only be useful for collecting data after an event
alarm systems - commonly associated
with the opening of a door, may be triggered by sensors (motion, infrared,
touch plates)
The text discusses several physical characteristics that are used
for enrollment and identification. It reminds us that some of these characteristics
change a lot between childhood and adulthood.
Fingerprints are characteristics that do not change with age.
Two aspect of fingerprints are scanned for identification:
Ridges - the raised parts of a fingerprint that
form its pattern of lines, called loops, whorls, and arches
Valleys - the lower areas between the ridges
These characteristics may be compared to a reference photo
of your fingerprint, or they may be compared to a capacitance
pattern. Ridges contact a capacitance scanning device,
valleys do not, which makes it possible to scan the fingerprint
in this way on a sufficiently dense scanner. Capacitance scanning
on some smart phones is a possibility.
Matching with the reference data may be done on the pattern
of the fingerprint, or the pattern of the minutiae.
Minutiae are locations in a fingerprint where a ridge changes,
such as branching into two ridges, stopping at a dead end, or joining
another ridge.
Retina scans examine the inside, rear surface of your eye.
This is the surface that receives and interprets light. The idea is
to shine a light into your eye, and take a picture of the pattern of
blood vessels in that area which is believed to be a unique pattern
for each person. Eye surgery can affect this area, so it is not foolproof.
Iris scans examine the part of the eye that is usually blue,
brown, green, or other such colors. The pattern of the muscle in this
area can be scanned and matched. The text tells us this is less likely
to be affected by eye surgery, glasses, or contact lenses that a retinal
scan.
Hand geometry does what it sounds like: it measures the shape
of a person's hand, and may measure the ridges on that hand as well.
It occurs to me that changes in a hand are more likely with age, injury,
and arthritis than changes in fingerprints or eyes would be.
Facial recognition scans the
shape and location
of a person's facial features. The location of a feature is measured
in relation to other features, such as the distance of the eyes from
each other. As usual, these measurements are compared to saved reference
data.
This text does not discuss behavioral recognition, the other type
of biometric measurement. Several variations exist:
Typing is something people tend to do the same way each time,
given a similar console. Measurement is usually done on typing a known
phrase or typing your password. Your typing rhythm is different when
you are on a real keyboard as opposed to when you are trying to type
on a smart phone, but if measurements are taken on the same kind of
equipment each time, there can be a reliable consistency. Measurement
typically address the length of time keys are depressed and the time
between keystrokes. This assumes a standard keyboard, either rigged
for measurement or connected to software that is taking measurements.
This measurement has a high rate of false negatives, deciding that the
typist is not really the user in question. As you might imagine, there
are many problems that could change the way a person types.
Signature analysis does not measure the shape of a signature.
It measures the speed and pressure a person uses to write each letter,
which means it must be done on a pad that can measure that. Most art
pads are useful for this purpose. Like the typing measurement, it relies
on the user being able to enter the data in the same way each time.
Voice recognition involves having the user speak a set phrase
into a microphone, and relies on the physical shape of the user's mouth
and larynx to produce sounds that have unique wave properties. This
is not very secure. Members of the same family can often mimic each
other closely enough to fool such a system.
The text changes topics to discuss problems with all of these
techniques. One is lack of user acceptance, which may be from lack
of familiarity, or from fear of the technology being used, such as the
one that scans a retina. Others have to do with the techniques
themselves:
False
acceptance - This can also be called a false positive or
a Type II error. It means that the system accepts someone
as a known user who is not a known user. The text explains that
this can be caused by too little sensitivity in the scanner, which could
cause an iris scanner to see all users' blue-eyed scans as belonging
to a known user with blue eyes. Yes, we are all Paul Newman to that
system.
False rejection - This can also be called a false negative
or a Type I error. It means that an enrolled user is not
recognized. An example would be a fingerprint scanner rejecting
a user because there is something on the user's finger obscuring it.
This could happen on a capacitance scanner if something on the finger
changed its electrical properties, like a conductive fluid.
Crossover Error Rate (CER) - Now for the really good
news: all of these systems produce Type I and Type II
errors. We can reduce the rate of either type, but that
will increase the rate of the other type. More sensitivity
gives us more Type I errors. Less sensitivity gives us more Type II errors.
Users don't like Type I errors, and security staff don't like Type II
errors. The Crossover Error Rate is the point at which the rates of
the two kinds of errors are equal. Actual system performance may be
skewed toward one side or the other for the CER. In any case, the CER
rate gives us a way to measure a system on two scales at once.
What characteristics make good choices for biometrics? The characteristic
being measured must be something that all users have, that is unique to
each user, that will not change over time, and that can be scanned quickly
enough to operate an automated entry system.
The last section of the chapter is on page 99. Defense in depth
is a standard recommendation for people who protect systems. One way to
think of it is to use multiple defenses that we believe will not
be defeated by the same methods. Applying multiple controls in defense
of each asset, and choosing those controls with the idea that the surviving
ones must continue to work if any of them fail, is the lesson of this
principle.
The text lists three levels of defense of physical threats to a work
site to make the point. Some examples of defenses at each level are provided.
perimeter controls - the fences, gate, trees, and terrain
exterior controls - doors, locks, entrance scanners, and guards
fit here
interior controls - interior doors, locks, and card scanners;
policies that restrict access to network assets,
Assignments
This week you need to submit Lab 2. Assignment 2 and Part 2 of the
ongoing course project are due in week 5.
We
should also consider landscaping, which many of us would ignore. It is
better not to ignore it. Lovely trees that someone decides to plant around
our fence may provide a 
walls,
fences, and gates
False
acceptance - This can also be called a false positive or
a Type II error. It means that the system accepts someone
as a known user who is not a known user. The text explains that
this can be caused by too little sensitivity in the scanner, which could
cause an iris scanner to see all users' blue-eyed scans as belonging
to a known user with blue eyes. Yes, we are all Paul Newman to that
system.