ITS 4550 - Fraud Prevention and Deterrence


Chapter 4, Physical Security

This lesson presents material from chapter 4. Objectives important to this lesson:

  1. Equipment controls
  2. Area controls
  3. Facility controls
  4. Personal safety controls
  5. Physical access controls
  6. Avoiding physical security threats
  7. Defense in depth
Concepts:
Chapter 4

The chapter begins with a list of controls that are typically used to control access to hardware:

  • passwords for workstations and networks
  • passwords for screen savers (that lock the computer) and for session controls
  • encrypted data on storage devices
  • security controls for other devices that attach to networks: e.g. printers, fax machines, scanners, IP based phone systems

The text elaborates on the idea of encrypting all storage devices, making the argument that encryption requires more work from the processor that will process data to and from the device. This is true, but it only means that we need to buy better processors when we think about security. It also tells us that there may be no need for encryption if the storage devices (typically HDDs or SSDs) never leave a physically secure area. That is a pretty big "if". I know of instances in which entire rooms full of computers were stolen by merely competent thieves, which led to policies about all hard drives having to be encrypted.

The text warns us specifically about thumb drives (a.k.a. flash drives, memory sticks, key memory, etc.), which pose two risks. Our own flash drives can easily be misplaced or stolen, so encryption of data is the best policy. Drives belonging to an attacker may be left for our staff to find, and autorun programs can begin an attack on our systems upon insertion in a computer.

When storage devices are retired, it is best to remove all data from them. The text lists three common methods, including various kinds of data wiping, overwriting all bits with zeroes (zeroization), and degaussing (removing all magnetic images on a disk). The text also mentions that these methods are not always successful, but total destruction of the device is. In the same section, the text mentions that optical storage (CDs, DVDs, etc.) should be destroyed instead of being put in a trash bin.

On page 84, the text turns to physical area controls. The text warns us that an attacker who has physical access to a computer may be able to boot it with a flash drive, defeating the controls that are part of the device's intended operating system. As such, we need to consider physical area controls which are concerned with placing a boundary around some area, whether it is a room, a building, a complex, or a larger site. A basic concern for any room is a door with a lock, assuming that there are walls that prevent access other than by the door. For a larger area, we might start with a fence and locked or guarded gates.

Yew treesWe should also consider landscaping, which many of us would ignore. It is better not to ignore it. Lovely trees that someone decides to plant around our fence may provide a route over that fence. Another text suggests that plants with strong thorns would be a better deterrent.

I had the pleasure once of visiting a facility that took a different approach. There was no sign outside the building, no number on it, and no indication that was a secure facility. The perimeter was fenced, and gated, and the gate was operated remotely by a guard. The fence was surrounded by tall slender yews, which blocked the view of the perimeter from both sides. They were also frail enough that no one could climb them. Yes, they made it difficult for people inside to watch what was happening outside the fence that surrounded the building. However, the intention was to block the view of the building from outsiders, and to draw no attention. Huge trees with nasty thorns are unusual and they might draw the attention of someone with an eye for what looks odd. Yews are just nice landscaping. A good way to keep a secret is to never hint that the secret even exists. That perimeter followed that logic. Sometimes, the secret is no longer a secret, in which case the mesh density chart on page 86 may apply. Remember, however, that a tall, very secure looking fence can be a map marker to an attacker instead of a deterrent.

The text does not discuss visibility, which is what you think about when you plan lighting and surveillance cameras. Sometimes you need more lights because something you can't remove casts a shadow. Sometimes you need another camera, because you can't see through or around that thing the way it is. Your surveillance system needs to cover what your guards need to see even if they do walk around the interior or the grounds. They cannot be everywhere at once, unless you have lots of guards.

The text mentions that tracking who enters and who leaves a location are equally important. This is easier in a well run installation, where you use the same protocols to enter and to leave. In most locations, people are in more of a hurry to leave. The text suggests that keeping video records of people entering and exiting can provide a post-event record if you can live without a live stream of information. Sometimes, the exit of a person is the more important event, such as the provided example of a day care center, as well as in some hospitals and most prisons. The text warns us that exit points must be watched carefully in such cases. It should observe that we should watch known exit points, and be watchful for exits that those seeking them may discover.

If you want to allow foot traffic, but restrict the approach of vehicles, you should consider the text's recommendation to use bollards. You may not know the word, but you have probably seen these posts in parking lots or outside buildings. Follow this link to a web page that defines them as being available in several types: visual guides, physical barriers, flexible, and decorative. The text is most concerned with the physical barrier type, which may simply be a painted concrete and steel post, or it may have a decorative cover to make it look less like a barrier. Some locations that require frequent traffic with the need for restriction in emergencies may lead us to install bollards that are retractable.

The text continues with a discussion of physical access controls inside buildings. The text recommends that guards and cameras should be made visible in general work areas, to act as deterrents to unwanted behavior. Barriers between general work areas and sensitive areas should be clearly defined. The text mentions banks as a common example of businesses with areas for the general public, and areas that are for staff only. Banks often have high counters, gates, security barriers, guards, and bullet resistant glass or plastic barriers between staff and customers. Data centers do not generally provide service to the public, but is not uncommon to have a data center share a building with another service from your company that does invite customer traffic. When this is the case, there must be controls to prevent access by people who should not have access.

Consider this list of lists major physical controls, which are full or partial solutions to making a location a secure facility.

  • subway turnstyleswalls, fences, and gates - obvious barriers make it clear to people that they are not allowed to walk beyond a certain point; gates are obvious points of access, but they are also filter points if you require staff to show permission to pass through them; these apply to external and internal environments
  • guards - putting a guard on a gate, a door, or an asset allows you to set rules for passage and usage that can be interpreted by a human being or referred to an authorizing level of management
  • dogs - guard dogs should probably appear as a subset of guards, whether they are working with handlers or left to patrol a sealed environment; a dog can sense things (noises, aromas) that a human guard cannot
  • ID cards (badges) - can be just a token or a photo ID, and may have a magnetic stripe, a computer chip, or an RFID; ID cards are both a proof of authorization and a problem: they need to be collected when an employee leaves their job, regardless of who decided they were leaving; tailgating is the practice of passing through a door that senses an authorization code by following someone who actually has authorization when you a) forgot yours, b) decided to be lazy, or c) are not authorized; it is the last variation we worry about, so some secure centers require that everyone passing a control point show their badge to the sensor to count heads; the text mentions the use of ID operated turnstiles, which are effective in metering traffic (see below)
  • doors - doors come in various designs and strengths; the text mentions several varieties and explains that the door is only one component of a doorway, which also depends on the doorframe, the surrounding walls, the floor, and the ceiling above it
  • locks - as indicated above, some locks are opened with credentials; some locks require a key, and others require the intervention of an operator (e.g. guard, receptionist); there are also biometric locks
    Two terms you will encounter about locks need an explanation. They have to do with electronic lock failure. A door that stays locked if the electronic lock fails has a fail-secure lock. A door that becomes unlocked if the electronic lock fails has a fail-safe lock. Since safe and secure are usually synonyms, this makes no sense. You just have to know which is which, so you do not expect the wrong behavior from your devices when there is a power failure.
  • mantraps - a vestibule or airlock with two doors that both lock if someone tries to pass through the second door to a secure area and fails; the idea is to alert security to a possible intrusion while containing the intruder
  • turnstiles - a common device used in multiples in locations where many people need authenticated access to a site at the same time; the text mentions their use in subway stations (see the image on the right) and theme parks where the user deposits a token or scans a magnetic card or an RFID badge to operate the turnstile
  • video monitoring - allows recording of events, also allows fewer guards to watch over more areas by watching several screens at once; this typically adds a delay to response time, and may only be useful for collecting data after an event
  • alarm systems - commonly associated with the opening of a door, may be triggered by sensors (motion, infrared, touch plates)

The text discusses several physical characteristics that are used for enrollment and identification. It reminds us that some of these characteristics change a lot between childhood and adulthood.

  • Fingerprints are characteristics that do not change with age. Two aspect of fingerprints are scanned for identification:
    • Ridges - the raised parts of a fingerprint that form its pattern of lines, called loops, whorls, and arches
    • Valleys - the lower areas between the ridges
      These characteristics may be compared to a reference photo of your fingerprint, or they may be compared to a capacitance pattern. Ridges contact a capacitance scanning device, valleys do not, which makes it possible to scan the fingerprint in this way on a sufficiently dense scanner. Capacitance scanning on some smart phones is a possibility.


      Matching with the reference data may be done on the pattern of the fingerprint, or the pattern of the minutiae. Minutiae are locations in a fingerprint where a ridge changes, such as branching into two ridges, stopping at a dead end, or joining another ridge.
  • Retina scans examine the inside, rear surface of your eye. This is the surface that receives and interprets light. The idea is to shine a light into your eye, and take a picture of the pattern of blood vessels in that area which is believed to be a unique pattern for each person. Eye surgery can affect this area, so it is not foolproof.
  • Iris scans examine the part of the eye that is usually blue, brown, green, or other such colors. The pattern of the muscle in this area can be scanned and matched. The text tells us this is less likely to be affected by eye surgery, glasses, or contact lenses that a retinal scan.
  • Hand geometry does what it sounds like: it measures the shape of a person's hand, and may measure the ridges on that hand as well. It occurs to me that changes in a hand are more likely with age, injury, and arthritis than changes in fingerprints or eyes would be.
  • Facial recognition scans the shape and location of a person's facial features. The location of a feature is measured in relation to other features, such as the distance of the eyes from each other. As usual, these measurements are compared to saved reference data.

This text does not discuss behavioral recognition, the other type of biometric measurement. Several variations exist:

  • Typing is something people tend to do the same way each time, given a similar console. Measurement is usually done on typing a known phrase or typing your password. Your typing rhythm is different when you are on a real keyboard as opposed to when you are trying to type on a smart phone, but if measurements are taken on the same kind of equipment each time, there can be a reliable consistency. Measurement typically address the length of time keys are depressed and the time between keystrokes. This assumes a standard keyboard, either rigged for measurement or connected to software that is taking measurements. This measurement has a high rate of false negatives, deciding that the typist is not really the user in question. As you might imagine, there are many problems that could change the way a person types.
  • Signature analysis does not measure the shape of a signature. It measures the speed and pressure a person uses to write each letter, which means it must be done on a pad that can measure that. Most art pads are useful for this purpose. Like the typing measurement, it relies on the user being able to enter the data in the same way each time.
  • Voice recognition involves having the user speak a set phrase into a microphone, and relies on the physical shape of the user's mouth and larynx to produce sounds that have unique wave properties. This is not very secure. Members of the same family can often mimic each other closely enough to fool such a system.

The text changes topics to discuss problems with all of these techniques. One is lack of user acceptance, which may be from lack of familiarity, or from fear of the technology being used, such as the one that scans a retina. Others have to do with the techniques themselves:

  • False acceptance - This can also be called a false positive or a Type II error. It means that the system accepts someone as a known user who is not a known user. The text explains that this can be caused by too little sensitivity in the scanner, which could cause an iris scanner to see all users' blue-eyed scans as belonging to a known user with blue eyes. Yes, we are all Paul Newman to that system.
  • False rejection - This can also be called a false negative or a Type I error. It means that an enrolled user is not recognized. An example would be a fingerprint scanner rejecting a user because there is something on the user's finger obscuring it. This could happen on a capacitance scanner if something on the finger changed its electrical properties, like a conductive fluid.
  • Crossover Error Rate (CER) - Now for the really good news: all of these systems produce Type I and Type II errors. We can reduce the rate of either type, but that will increase the rate of the other type. More sensitivity gives us more Type I errors. Less sensitivity gives us more Type II errors. Users don't like Type I errors, and security staff don't like Type II errors. The Crossover Error Rate is the point at which the rates of the two kinds of errors are equal. Actual system performance may be skewed toward one side or the other for the CER. In any case, the CER rate gives us a way to measure a system on two scales at once.
What characteristics make good choices for biometrics? The characteristic being measured must be something that all users have, that is unique to each user, that will not change over time, and that can be scanned quickly enough to operate an automated entry system.

The last section of the chapter is on page 99. Defense in depth is a standard recommendation for people who protect systems. One way to think of it is to use multiple defenses that we believe will not be defeated by the same methods. Applying multiple controls in defense of each asset, and choosing those controls with the idea that the surviving ones must continue to work if any of them fail, is the lesson of this principle.

The text lists three levels of defense of physical threats to a work site to make the point. Some examples of defenses at each level are provided.

  • perimeter controls - the fences, gate, trees, and terrain
  • exterior controls - doors, locks, entrance scanners, and guards fit here
  • interior controls - interior doors, locks, and card scanners; policies that restrict access to network assets,

 


Assignments

This week you need to submit Lab 2. Assignment 2 and Part 2 of the ongoing course project are due in week 5.