Transcript - Cyber Law Consulting

Physical Security
& Biometrics
By Prashant Mali
Objectives
• To address the threats, vulnerabilities, and
countermeasures which can be utilized to physically protect
an enterprise’s resources and sensitive information to
include people, facilities, data, equipment, support
systems, media, and supplies.
• To discuss considerations for choosing a secure site, its
design and configuration, and the methods for securing the
facility against unauthorized access, theft of equipment
and information, and the environmental and safety
measures needed to protect people, the facility, and its
resources.
Session Agenda
1. Physical Access Threats and Exposures
2. Site Location and Design
3. Physical Access Controls
4. Environmental Protection
5. Audit And Evaluation of Physical Access Controls
Threat Components
• Threat Components
• Agents
• Motives
• Results
• Human Threats
• Theft
• Vandalism
• Sabotage
• Espionage
• Errors
• Blackmail
Human Threats
Exposures resulting by means of
• Unauthorized entry
• Damage, vandalism and theft of equipment or documents
• Copying, viewing, or alteration of sensitive information
• Public disclosure of sensitive information
• Abuse of data processing resources
• Blackmail
• Embezzlement
Human Threats
Possible perpetrators can be employees who are:
• Disgruntled or on strike
• Experiencing financial or emotional problems
• Threatened with disciplinary action
• Addicted to a substance or gambling
• Notified of their termination
• Hired by a competing company
Personnel Access Controls
• Position Sensitivity Designation
• Management Review of Access Lists
• Background Screening/Re-Screening
• Termination/Transfer Controls
• Counseling for Disgruntled Employees
External / Internal Threats
• External Threats
• Wind/Tornado
• Flooding
• Lightning
• Earthquake
• Cold and Ice
• Fire
• Chemical
• Internal Physical Threats
• Fire
• Environmental Failure
• Electrical Interruption
External / Internal Threats
• Are hardware facilities controlled to reduce the risk of
unauthorized access?
• Are hardware facilities reasonably protected against forced
entry?
• Are smart terminals locked or otherwise secured to prevent
removal of boards, chips, or the entire computer itself?
• Are authorized passes required before computer equipment
can be removed from its normally secure environment?
External / Internal Threats
Facilities to be protected:
• Computer room, operator consoles, and terminals
• Programming area
• Tape library, disks, and all magnetic media
• Storage room and supplies
• Off-site backup file storage facility
• Input / Output control room
• Power sources
• Disposal sites
Site Location and Design
• Local Crime
• Visibility
• Emergency Access
• Natural Hazards
• Air and Surface Traffic
• Joint Tenants
• Stable Power Supply
• Existing Boundary Protection (Barriers/Fencing/Gates)
Site Boundary Protection
• Area Designation: Facilitates Enforcement
• Vehicular Access
• Personnel Access
• Occupants
• Visitors (Escort & Logging)
• Fences
• Deter Casual Trespassing
• Compliments Other Access Controls
• Aesthetics
• Won’t Stop Determined Intruder
Site Boundary Protection
• Lighting
• Entrances
• Parking Areas
• Critical Areas
• Perimeter Detection Systems
• Does Not Prevent Penetration
• Alerts Response Force
• Requires Response
• Nuisance Alarms
• Costly
Site Boundary Protection
• CCTV (Closed Circuit TV)
• Efficiency
• Requires Human Response
• Limitations
• Staffing
• Access Control Points
• Patrols
• Employees
Physical Access Controls
• Guards
• Fences
• Barriers
• Lighting
• Keys and Locks
• Badges
• Escorts
• Property Controls
• Monitoring/Detection Systems
Physical Access Controls
Common Physical Access controls are:
• Computer Terminal Locks
• Video Cameras
• Security Guards, Alarm System
• Controlled Visitor Access
• Bonded personnel
• Confidential Location of Sensitive Facilities
• Controlled Single point of Entry and Exit
• Motion Detection System
Physical Access Controls
Common Physical Access controls are:
• Bolting Door Locks
• Cipher or Keypad Locks
• Electronic Door Locks
• Biometric Access Controls
• Deadman Door Locks
• Manual Logging, Electronic Logging
• Identification Badges
Environmental Protection
• Computing Facility
• Electrical Power controls
• Air Conditioning
• Fire Prevention, Detection, and Suppression
• Media Storage Protection
• Other Considerations
Audit and Evaluation
Check the location of:
• All operator consoles
• Printer rooms
• Computer storage rooms
• UPS/Generator rooms
• Communications equipment
• Tape library
• Off-site storage facility
Audit and Evaluation
Check the following paths of physical entry:
• All entry doors
• Glass windows and walls
• Movable walls and modular furniture
• Above false ceilings and below raised floors
• Ventilation systems
Keypad Locks
Electronic (Keypad Systems): Digital Keyboard
• Number of Combinations
• Number of Digits in Code
• Frequency of Code Change
• Error Lock-Out
• Error Alarms
Keypad Locks
Electronic Door Locks
The system uses a magnetic or embedded chip-based
plastic card to be used as a swipe card to gain access to
a restricted area.
• Through a special internal code, cards can be assigned
to an identifiable individual
• Individuals can be given selective access to areas based
on needs, time of day restrictions, etc.
• The cards should be difficult to duplicate.
• Card entry can be easily deactivated for terminated
employees or if a card is reported lost or stolen.
Access Controls - Dumb Cards
Dumb Cards
• Photo Identification Badges
• Manual Visual Verification
• Can be Combined with Smart Technology
Access Controls - Smart Cards
Digital Coded (Smart) Cards
• Often Require Use of PIN Number with Card
• Card Readers: Card Insertion, Card Swipe & Proximity
Types of Access Cards
• Photo ID Cards
• Optical Coded Cards (Magnetic Dot)
• Electric Circuit Cards (Embedded Wire)
• Magnetic Cards (Magnetic Particles)
• Metallic Stripe Card (Copper Strips)
Types of Access Cards
•
GemClub Memo has been winning the confidence of
application developers since 1998. GemClub Memo is the
proven and the secure Memory technology in the smart
card market, with several million of cards in the field and
100 live applications such as:
•
Public ( Transportation, driving license, health care, fleet
cards),
•
Reward (loyalty, Voucher, Pre paid...)
•
Access control (logical or physical).
•
Electronic purse (in closed payment schemes),
Biometrics - Access Controls
• Authenticating a user via human characteristics
• An individual’s unique body features such as fingerprint,
signature, voice, retina can be used to identify the
individual.
• Complicated and expensive
• Used for extremely sensitive facilities, such as in the
military
Biometrics - Access Controls
• Fingerprint/Thumbprint Scan
• Hand Geometry
• Voice Verification
• Retinal Scanning
• Iris Scanning
• Signature Verification
• Facial Recognition
• Keystroke Recorders
• Vein Biometric Systems
Fingerprint Verification

Fingerprint scanning products are the most common type
on the market today. Properly implemented, fingerprints
offer potential for high accuracy.

The readers tend to be small - easily incorporated into a
keyboard for example

Have a relatively low cost, and integration is usually easy.

Cuts or dirt on the finger can cause some systems not to
recognize a valid fingerprint.

Some fingerprint scanners will scan for pulse as well as
the fingerprint.
The State of Connecticut began using fingerprint
readers in 1996 to catch welfare cheats who came in to
pickup cheques.
The fingerprint scanners, which cost about $200 from
Identix Corp., use a digital camera to capture the
fingerprints. Imaging software from National Registry Inc.
is used to compare the scanned image with the one stored
on a server.
The $5.1 million project is said to have saved the state $9
million in welfare fraud.
DigitalPersona U.are.U Personal
DigitalPersona has released a new
version of its consumer-friendly
fingerprint reader, the
DigitalPersona U.are.U Personal.
The software replaces passwords
for Microsoft Windows XP, creating
a more secure and more
convenient solution for homes and
small businesses where one PC
serves many masters. Though not
perfect, the U.are.U is a troublefree convenience that will help
protect your privacy.
I/O Software, a California company, is marketing a
fingerprint ID system to control access to a computer right
after it is turned on, before booting.
Their system uses Sony’s Fingerprint Identification Unit,
which plugs into the serial port. If the fingerprint does not
match, the system stops the computer’s Basic Input Output
System (BIOS) from starting up.
Sony FIU-710
PC Magazine - The Puppy was the
only model we evaluated that
performed flawlessly on all of our
tests, enrolling and verifying 100
percent of our test subjects though we could enroll only 10
people on the Puppy, as opposed
to 100 on the other devices. Plus
we were able to shuttle it easily
among different PCs.
TimeCentre's BioMouse
It is the world's first mouse to offer
total PC and network security with
the touch of a finger!
Bring fingerprint recognition
technology to a workstation!
Positively identify who is accessing
the PC and who is clocking in each
day. The BioMouse can be used in
conjunction with TimeCentre's PC
entry and browser-based PC entry
system on a workstation or kiosk. In
a PC kiosk environment, the
BioMouse can insure the identity of
each valid user.
Hand Geometry

Hand Geometry measure the physical characteristics of the
user’s hand and fingers.

Hand geometry is one of the most established methods
and typically offers a good balance of performance and
ease of use.

Hand geometry is most widely used in physical access
control and time/attendance systems. It is not currently in
wide deployment for computer security applications
primarily because it requires a large scanner.
Biometric Hand Punch
TimeCentre's Hand Punch clocks
positively identify each employee by
the unique size and shape of his or
her hand, increasing the security and
accuracy of your company's time
data. It is the perfect balance
between security and convenience.
 Eliminates "buddy punching" and
guarantees the accuracy of your
punch data
 Eliminates early-in punches
 Eliminates unauthorized overtime
punches
No cards or badges are needed to
utilize the TimeCentre Biometric
Hand Punch. The employee's hand is
their time card!
Sensar is offering their iris recognition system to ATM
manufacturers as an alternative to passwords and PINs.
When a bank card is inserted into an ATM machine, a
stereo camera locates the person’s face, zooms in on the
eye, and takes a digital photograph of the eye. The
features in the eye are then compared with one provided to
the bank when the customer signed up.
All this can be done in less then two seconds at a distance
of up to 3 feet. The system is expected to add $2,000 to
$3,000 to the cost of an average ATM machine, which now
can cost up to $40,000.
Several banks are testing Sensar’s system, including banks
in the United States, United Kingdom, and Japan.
Voice Recognition

Voice Recognition is perhaps the method most desirable to
users since everyone seems to want to talk to computers.

In practice, implementation is extremely difficult. While recent
advances in voice recognition have greatly improved the
technology, it is still subject to problems.

Local acoustics, background noise, microphone quality, the
common cold, anxiety, being in a hurry, and anger can all alter
the human voice enough to make voice recognition difficult or
impossible.

Further, voice recognition systems tend to have the most
difficult and time-consuming enrollment process and require the
most space for template storage.
In February 1998, Periphonics Corp., a maker of
interactive voice response systems, announced they would
integrate voice identification into their automated call
processing applications. The system could be used by
banks and credit card companies which rely heavily on
interactive call systems.
When a customer phones for service, the system asks for a
password. The voice sample is then compared with one
taken during initialization. Periphonics says the error rate is
around 1% to 2%.
The attraction of voice recognition is that it can be
performed over the phone system without the need for
special cameras or other equipment.
Retinal Scanning

Retinal Scanning is well established and can provide high
accuracy.

User acceptance may be a problem however – “You’re not
shooting a laser into my eye!” In reality, retinal scanners do not
employ a laser, but scan using low intensity light and are
considered quite safe.

One drawback is that the user must look directly into the retinal
reader. This is inconvenient for eyeglass wearers.

In public applications, there may also be concerns with the
spread of germs because of the need for physical contact with
the retinal scanner.

Another problem is that the user must focus on a given point
for the scan. Failure to focus correctly causes a significant
impact on accuracy.
The EyeDentify® Biometric Retina
Reader provides dual level access
security. A keypad code requires
Retina pattern verification which
takes less than two seconds from up
to 3” away. Retinal vascular patterns
are the most accurate biometric
recognition features which provides
the highest level of biometric
security. Can be easily interfaced with
ECS Access Control systems or used
in stand alone applications.
Iris Scanning

Iris Scanning overcomes most of the problems of retinal
scanners.

Because the iris (the colored part of the eye) is visible from a
distance, direct contact with the scanner is not required nor is it
necessary to remove eyeglasses.

The technology works by scanning the unique random patterns
of the iris.

Interestingly, the method does not rely on the iris color (the
camera used is black-and-white). This is important because of
the popularity of colored contact lenses – some vendors claim
their systems will work with colored contacts and even through
non-reflective sunglasses.
Panasonic Authenticam
Iris Recognition Camera
In 1994, Iridian's John Daugman
introduced the concept of iris
recognition technology—capturing
the unique patterns in a human iris to
authenticate identity. Like
fingerprints, no two irises are alike.
The Authenticam verifies a user's
identity by scanning the person's iris
and matching the pattern with the
template stored at enrollment. Unlike
a retinal scanner, which captures
information necessary for
authentication by shooting a laser
beam into the eye while the user is in
contact with the device, the iris
scanner allows the user to be about
20 inches away from the camera.
Signature Verification

Signature Verification enjoys a synergy the other
technologies do not since people are used to signing for
things.

There is a greater feeling of normalcy. While signature
verification has proved to be relatively accurate, very few
products available implement the technology.
Facial Recognition

Facial recognition is one of the newest biometric methods.
The technology has attracted a lot of attention.

Unfortunately, extravagant claims that proved difficult to
substantiate cooled much of the enthusiasm.

It is not overly difficult to match two static images.

Picking an individual out of a group as some systems claim
to be able to do is another matter entirely.

Progress continues to be made with this young technology,
but to date facial recognition systems have had some
success in practical applications.
The FaceIT PC desktop software, which sells for $150,
is used on a PC with a video camera. The system
automatically detects human presence, locates and tracks
faces, and identifies people.
The recognition process, which is based on 64 features of
the face, takes less than a second. When the user steps
away from the computer, FaceIT becomes a screensaver
and locks the computer. The machine is unlocked only
when the computer detects and recognizes the user. Files
are secured through encryption.
The technology has been or will be used in other
applications, including ATMs, airport passenger and
baggage security, and border crossings.
Imagis' proprietary technology
uses more than 692 facial desciptors
to capture and identify a face. This is
ten times more than other
technologies.
At the very heart of Imagis'
technology is a unique method of
capturing facial data that is
intrinsically more accurate. Whereas
other solutions are limited through
their reliance on outmoded facial
recognition methods, Imagis uses a
combination of spectral analysis and
3-D modeling to locate and fit a face,
identifying over 692 facial descriptors
in the process.
Once a face has been identified, it is
converted into a deformable surface
model. This surface modeling allows
the face detection to work accurately
with an infinite number of face
shapes. Unlike other solutions, ID2000 works equally well with all races
and genders and is not fooled by a
change in hairstyles, or the growth/
shaving of a beard.
Once a face has been captured and
rendered, the software uses a
proprietary algorithm to produce a
wavelet that is unique to that image.
It is this wavelet (compressed and
encoded) that is used to make
comparisons quickly in both one-toone and one-to-many searches.
Vein Biometric Systems

Vein biometric systems record subcutaneous Infra Red
absorption patterns to produce unique and private
identification templates for users.

Veins and other subcutaneous features present large,
robust, stable and largely hidden patterns. Subcutaneous
features can be conveniently imaged within the wrist,
palm, and dorsal surfaces of the hand.

The technology is a vascular barcode reader for people!

The technology can be applied to small personal biometric
systems, generic biometric applications including
intelligent door handles, door locks etc.
Vein Biometric Systems
Vein pattern IR. grey-scale images are binarized, compressed and stored
within a relational database of 2D vein images. Subjects are verified
against a reference template in under 200ms providing fast, robust
biometric authentication.
Biometrics - Advantages
• Can’t be lent like a physical key or token and can’t be
forgotten like a password
• Good compromise between ease of use, template size,
cost and accuracy
• Biometrics contains enough inherent variability to enable
unique identification even in very large (millions of
records) databases
• Basically lasts forever - or at least until amputation or
dismemberment
• Makes network login & authentication effortless
Biometrics - Disadvantages
• Still relatively expensive per user
• Companies and products are often new and immature
• No common API (Application Protocol Interface) or other
standard
• Some hesitancy for user acceptance
Biometrics - Practical Applications
• Network access control
• Staff time and attendance tracking
• Authorizing financial transactions
• Government benefits distribution (Pension, welfare, etc.)
• Verifying identities at point of sale
• Using in conjunction with ATM , credit or smart cards
• Controlling physical access to office buildings or homes
• Protecting personal property
• Voting/Passports/Visas & Immigration
Biometrics - Privacy Issues
• Tracking and surveillance - Ultimately, the ability to track a
person's movement from hour to hour
• Anonymity - Biometrics links to databases could dissolve
much of our anonymity when we travel and access
services
• Profiling - Compilation of transaction data about a
particular person that creates a picture of that person's
travels, preferences, affiliations or beliefs
Biometrics - Tenets
• The indiscriminate and inappropriate application of biometric
technologies will enslave us all.
• Biometric technologies should be used to provide individuals
with enhanced privacy, security, autonomy and convenience.
• Users must insist on the application of personal biometric
systems, where they own and control their own biometric data.
• The implementation of biometric technologies must safeguard
the rights and privileges of the individual whilst maintaining the
security of the community.
• Biometric technologies should not be used as tools to manage,
control, marginalize or segregate groups or minorities within the
population.
Deadman Door Locks
• This system uses a pair of doors, between which is a
holding area.
• For the inside door to operate, the outside door must
lock and close, with only the authorized person within
the holding area.
• This can reduce the risk of piggybacking, where an
unauthorized person follows a authorized person into a
restricted area.
• Similar to the airlocks present in spacecraft.
Computing Facility
• Walls
• True Floor to Ceiling
• Fire Rating (at least 1 hour)
• Penetrations
• Adjacent Areas
• Doors
• Interior/Exterior
• Hinges
• Fire Rating
• Alarms
• Monitoring
Computing Facility
• Windows/Openings
• Interior/Exterior
• Fixed
• Shatterproof
• Computer and Equipment Room Lay Out
• Equipment Access
• Storage
• Occupied Areas
• Water Sources
• Cable Routing
Electrical Power
Electrical Power Definitions:
• Blackout - Loss of Power
• Brownout - Prolonged Period of Below Normal Voltage
• Noise - Random Disturbance that Interferes with a Device
• Sag - Short Period of Low Voltage
• Spike - Momentary High Voltage
• Surge - Prolonged High Voltage
• Transient - Line Noise/Disturbance at Normal Voltage
Electrical Power
Electrical Power Controls
• Dedicated Circuits
• Controlled Access to:
– Power Distribution Panels
– Master Circuit Breakers
– Transformers
– Feeder Cables
• Emergency Power Off Controls
• Voltage Monitoring/Recording
• Surge Protection
Electrical Power
Backup Power
• Alternate Feeders
• Un-interruptible Power Supply
• Emergency Power Generator
Electrical Power
Backup Power Requirements
• Lighting
• Physical Access Control Systems
• Fire Protection Systems
• Computing Equipment - Mainframes, Servers, etc
• Communications Equipment
• Telephone Systems
• Air Conditioning
Air-conditioning
• Dedicated
• Controllable
• Independent Power
• Emergency Shut Off Controls
• Positive Pressure
• Protected Air Intakes
• Monitoring
Other Controls
• Humidity Controls
• Risk of Static Electricity
• Risk to Electric Connections
• Air Quality (Dust)
• Water Protection
• Falling Water
• Rising Water
• Drains
• Protective Coverings
• Moisture Detection Systems
Fire Prevention & Protection
• Fire Elements:
• Fuel
• Oxygen
• Temperature
• Causes Of Computer Center Fires
• #1: Electrical Distribution Systems
• #2: Equipment
• Fire Classes
• A: Common Combustibles (use Water/Soda Acid)
• B: Liquid (CO2/Soda Acid/Halon)
• C: Electrical (CO2/Halon)
Fire Prevention & Protection
• Temperatures When Damage Occurs
• Paper Products:
350o
• Computer Equipment:
175
• Disks:
150o
• Magnetic Media:
100o
o
Fire Detection
• Manual
• Optical (Photoelectric-Smoke Blocking Light)
• Temperature
• Ionization (Reaction to Charged Particles in Smoke)
Fire Detectors
• On Ceilings
• Above Suspended Ceilings
• Beneath Raised Floors
• Return Air Ducts
• Cross-Zoning
Fire Alarms
• Manual & Automated Activation
• Visual & Audible Indication
• Local & Remote Annunciation
Fire Suppression - Portable Ext.
• Portable Extinguishers
• At Exits
• Mark Locations and Type
• Types A, B & C
• Need to Inspect
Fire Suppression - Water
• “Dry Pipe” Systems: Less Risk of Leakage
• Employ in Throughout Building and in all Spaces
• Works to Lower Temperature
• Most Damaging to Equipment
• Conventional Systems
Fire Suppression - CO2
• Colorless/Odorless
• Potentially Lethal
• Removes Oxygen
• Best for Unattended Facilities
• Delayed-Activation in Manned Facilities
Fire Suppression - Halon
• Best Protection for Equipment
– Inside Equipment Cabinets/Vaults
– Special Areas
– Above Suspended Ceilings
– Under Raised Floors
• Concentrations <10% are Safe
• Becomes Toxic at 900o
• Depletes Ozone (CFCs)
• Halon 1301: Requires Pressurization
• Halon 1211: Self-Pressurization (Portable Extinguishers)
Securing Storage Areas
• Forms Storage Rooms
• Increased Threat of Fire
• Combustibles
• Access Controls
• Media Storage Rooms
• Media Sensitivity
• Segregation
• Access Controls
• Environmental Controls
Media Protection
• Storage
• Media Libraries/Special Rooms
• Cabinets
• Vaults
• Location
• Operational
• Off-Site
• Transportation
Protecting Wiring
• Optical Fiber
• Copper Wire
• Certifying the Wiring and Cabling
• Controlling Access to Closets and Riser Rooms
Other Considerations
• Dealing with Existing Facilities
• Planning
• Upgrade/Renovation
• Incremental New Construction
• Protecting the Protection
• Implement Physical and Environmental Controls for
Security Systems
• Protect against both Intentional and Inadvertent
Threats
Other Terms & Abbreviations
•
•
•
•
•
•
•
•
•
•
•
Tailgate
Piggy-Back
Stay Behind
Degauss
Remanence
Mantrap
Pass-Back
Dumpster Diving
Montreal Protocol
Duress Alarm
Tamper Alarm
•
•
•
•
•
•
•
•
•
•
•
Passive Ultrasonic
Fail Safe/Fail Soft
EPO
IDS
Shoulder Surfing
Electronic Emanation
Tsunami
RFI
Defense in Depth
EMI
Top Guard
Thank You
[email protected]