Presentation on theme: "Physical Security & Biometrics By Prashant Mali. Objectives To address the threats, vulnerabilities, and countermeasures which can be utilized to physically."— Presentation transcript:
Objectives To address the threats, vulnerabilities, and countermeasures which can be utilized to physically protect an enterprises resources and sensitive information to include people, facilities, data, equipment, support systems, media, and supplies. To discuss considerations for choosing a secure site, its design and configuration, and the methods for securing the facility against unauthorized access, theft of equipment and information, and the environmental and safety measures needed to protect people, the facility, and its resources.
Session Agenda 1. Physical Access Threats and Exposures 2. Site Location and Design 3. Physical Access Controls 4. Environmental Protection 5. Audit And Evaluation of Physical Access Controls
Human Threats Exposures resulting by means of Unauthorized entry Damage, vandalism and theft of equipment or documents Copying, viewing, or alteration of sensitive information Public disclosure of sensitive information Abuse of data processing resources Blackmail Embezzlement
Human Threats Possible perpetrators can be employees who are: Disgruntled or on strike Experiencing financial or emotional problems Threatened with disciplinary action Addicted to a substance or gambling Notified of their termination Hired by a competing company
Personnel Access Controls Position Sensitivity Designation Management Review of Access Lists Background Screening/Re-Screening Termination/Transfer Controls Counseling for Disgruntled Employees
External / Internal Threats External Threats Wind/Tornado Flooding Lightning Earthquake Cold and Ice Fire Chemical Internal Physical Threats Fire Environmental Failure Electrical Interruption
External / Internal Threats Are hardware facilities controlled to reduce the risk of unauthorized access? Are hardware facilities reasonably protected against forced entry? Are smart terminals locked or otherwise secured to prevent removal of boards, chips, or the entire computer itself? Are authorized passes required before computer equipment can be removed from its normally secure environment?
External / Internal Threats Facilities to be protected: Computer room, operator consoles, and terminals Programming area Tape library, disks, and all magnetic media Storage room and supplies Off-site backup file storage facility Input / Output control room Power sources Disposal sites
Site Location and Design Local Crime Visibility Emergency Access Natural Hazards Air and Surface Traffic Joint Tenants Stable Power Supply Existing Boundary Protection (Barriers/Fencing/Gates)
Site Boundary Protection Area Designation: Facilitates Enforcement Vehicular Access Personnel Access Occupants Visitors (Escort & Logging) Fences Deter Casual Trespassing Compliments Other Access Controls Aesthetics Wont Stop Determined Intruder
Site Boundary Protection Lighting Entrances Parking Areas Critical Areas Perimeter Detection Systems Does Not Prevent Penetration Alerts Response Force Requires Response Nuisance Alarms Costly
Site Boundary Protection CCTV (Closed Circuit TV) Efficiency Requires Human Response Limitations Staffing Access Control Points Patrols Employees
Physical Access Controls Guards Fences Barriers Lighting Keys and Locks Badges Escorts Property Controls Monitoring/Detection Systems
Physical Access Controls Common Physical Access controls are: Computer Terminal Locks Video Cameras Security Guards, Alarm System Controlled Visitor Access Bonded personnel Confidential Location of Sensitive Facilities Controlled Single point of Entry and Exit Motion Detection System
Physical Access Controls Common Physical Access controls are: Bolting Door Locks Cipher or Keypad Locks Electronic Door Locks Biometric Access Controls Deadman Door Locks Manual Logging, Electronic Logging Identification Badges
Environmental Protection Computing Facility Electrical Power controls Air Conditioning Fire Prevention, Detection, and Suppression Media Storage Protection Other Considerations
Audit and Evaluation Check the location of: All operator consoles Printer rooms Computer storage rooms UPS/Generator rooms Communications equipment Tape library Off-site storage facility
Audit and Evaluation Check the following paths of physical entry: All entry doors Glass windows and walls Movable walls and modular furniture Above false ceilings and below raised floors Ventilation systems
Keypad Locks Electronic (Keypad Systems): Digital Keyboard Number of Combinations Number of Digits in Code Frequency of Code Change Error Lock-Out Error Alarms
Electronic Door Locks The system uses a magnetic or embedded chip-based plastic card to be used as a swipe card to gain access to a restricted area. Through a special internal code, cards can be assigned to an identifiable individual Individuals can be given selective access to areas based on needs, time of day restrictions, etc. The cards should be difficult to duplicate. Card entry can be easily deactivated for terminated employees or if a card is reported lost or stolen.
Access Controls - Dumb Cards Dumb Cards Photo Identification Badges Manual Visual Verification Can be Combined with Smart Technology
Access Controls - Smart Cards Digital Coded (Smart) Cards Often Require Use of PIN Number with Card Card Readers: Card Insertion, Card Swipe & Proximity
Types of Access Cards Photo ID Cards Optical Coded Cards (Magnetic Dot) Electric Circuit Cards (Embedded Wire) Magnetic Cards (Magnetic Particles) Metallic Stripe Card (Copper Strips)
Types of Access Cards GemClub Memo has been winning the confidence of application developers since 1998. GemClub Memo is the proven and the secure Memory technology in the smart card market, with several million of cards in the field and 100 live applications such as: Public ( Transportation, driving license, health care, fleet cards), Reward (loyalty, Voucher, Pre paid...) Access control (logical or physical). Electronic purse (in closed payment schemes),
Biometrics - Access Controls Authenticating a user via human characteristics An individuals unique body features such as fingerprint, signature, voice, retina can be used to identify the individual. Complicated and expensive Used for extremely sensitive facilities, such as in the military
Fingerprint Verification Fingerprint scanning products are the most common type on the market today. Properly implemented, fingerprints offer potential for high accuracy. The readers tend to be small - easily incorporated into a keyboard for example Have a relatively low cost, and integration is usually easy. Cuts or dirt on the finger can cause some systems not to recognize a valid fingerprint. Some fingerprint scanners will scan for pulse as well as the fingerprint.
The State of Connecticut began using fingerprint readers in 1996 to catch welfare cheats who came in to pickup cheques. The fingerprint scanners, which cost about $200 from Identix Corp., use a digital camera to capture the fingerprints. Imaging software from National Registry Inc. is used to compare the scanned image with the one stored on a server. The $5.1 million project is said to have saved the state $9 million in welfare fraud.
DigitalPersona U.are.U Personal DigitalPersona has released a new version of its consumer-friendly fingerprint reader, the DigitalPersona U.are.U Personal. The software replaces passwords for Microsoft Windows XP, creating a more secure and more convenient solution for homes and small businesses where one PC serves many masters. Though not perfect, the U.are.U is a trouble- free convenience that will help protect your privacy.
I/O Software, a California company, is marketing a fingerprint ID system to control access to a computer right after it is turned on, before booting. Their system uses Sonys Fingerprint Identification Unit, which plugs into the serial port. If the fingerprint does not match, the system stops the computers Basic Input Output System (BIOS) from starting up.
Sony FIU-710 PC Magazine - The Puppy was the only model we evaluated that performed flawlessly on all of our tests, enrolling and verifying 100 percent of our test subjects - though we could enroll only 10 people on the Puppy, as opposed to 100 on the other devices. Plus we were able to shuttle it easily among different PCs.
TimeCentre's BioMouse It is the world's first mouse to offer total PC and network security with the touch of a finger! Bring fingerprint recognition technology to a workstation! Positively identify who is accessing the PC and who is clocking in each day. The BioMouse can be used in conjunction with TimeCentre's PC entry and browser-based PC entry system on a workstation or kiosk. In a PC kiosk environment, the BioMouse can insure the identity of each valid user.
Hand Geometry Hand Geometry measure the physical characteristics of the users hand and fingers. Hand geometry is one of the most established methods and typically offers a good balance of performance and ease of use. Hand geometry is most widely used in physical access control and time/attendance systems. It is not currently in wide deployment for computer security applications primarily because it requires a large scanner.
Biometric Hand Punch TimeCentre's Hand Punch clocks positively identify each employee by the unique size and shape of his or her hand, increasing the security and accuracy of your company's time data. It is the perfect balance between security and convenience. Eliminates "buddy punching" and guarantees the accuracy of your punch data Eliminates early-in punches Eliminates unauthorized overtime punches No cards or badges are needed to utilize the TimeCentre Biometric Hand Punch. The employee's hand is their time card!
Sensar is offering their iris recognition system to ATM manufacturers as an alternative to passwords and PINs. When a bank card is inserted into an ATM machine, a stereo camera locates the persons face, zooms in on the eye, and takes a digital photograph of the eye. The features in the eye are then compared with one provided to the bank when the customer signed up. All this can be done in less then two seconds at a distance of up to 3 feet. The system is expected to add $2,000 to $3,000 to the cost of an average ATM machine, which now can cost up to $40,000. Several banks are testing Sensars system, including banks in the United States, United Kingdom, and Japan.
Voice Recognition Voice Recognition is perhaps the method most desirable to users since everyone seems to want to talk to computers. In practice, implementation is extremely difficult. While recent advances in voice recognition have greatly improved the technology, it is still subject to problems. Local acoustics, background noise, microphone quality, the common cold, anxiety, being in a hurry, and anger can all alter the human voice enough to make voice recognition difficult or impossible. Further, voice recognition systems tend to have the most difficult and time-consuming enrollment process and require the most space for template storage.
In February 1998, Periphonics Corp., a maker of interactive voice response systems, announced they would integrate voice identification into their automated call processing applications. The system could be used by banks and credit card companies which rely heavily on interactive call systems. When a customer phones for service, the system asks for a password. The voice sample is then compared with one taken during initialization. Periphonics says the error rate is around 1% to 2%. The attraction of voice recognition is that it can be performed over the phone system without the need for special cameras or other equipment.
Retinal Scanning Retinal Scanning is well established and can provide high accuracy. User acceptance may be a problem however – Youre not shooting a laser into my eye! In reality, retinal scanners do not employ a laser, but scan using low intensity light and are considered quite safe. One drawback is that the user must look directly into the retinal reader. This is inconvenient for eyeglass wearers. In public applications, there may also be concerns with the spread of germs because of the need for physical contact with the retinal scanner. Another problem is that the user must focus on a given point for the scan. Failure to focus correctly causes a significant impact on accuracy.
The EyeDentify® Biometric Retina Reader provides dual level access security. A keypad code requires Retina pattern verification which takes less than two seconds from up to 3 away. Retinal vascular patterns are the most accurate biometric recognition features which provides the highest level of biometric security. Can be easily interfaced with ECS Access Control systems or used in stand alone applications.
Iris Scanning Iris Scanning overcomes most of the problems of retinal scanners. Because the iris (the colored part of the eye) is visible from a distance, direct contact with the scanner is not required nor is it necessary to remove eyeglasses. The technology works by scanning the unique random patterns of the iris. Interestingly, the method does not rely on the iris color (the camera used is black-and-white). This is important because of the popularity of colored contact lenses – some vendors claim their systems will work with colored contacts and even through non-reflective sunglasses.
In 1994, Iridian's John Daugman introduced the concept of iris recognition technologycapturing the unique patterns in a human iris to authenticate identity. Like fingerprints, no two irises are alike. The Authenticam verifies a user's identity by scanning the person's iris and matching the pattern with the template stored at enrollment. Unlike a retinal scanner, which captures information necessary for authentication by shooting a laser beam into the eye while the user is in contact with the device, the iris scanner allows the user to be about 20 inches away from the camera. Panasonic Authenticam Iris Recognition Camera
Signature Verification Signature Verification enjoys a synergy the other technologies do not since people are used to signing for things. There is a greater feeling of normalcy. While signature verification has proved to be relatively accurate, very few products available implement the technology.
Facial Recognition Facial recognition is one of the newest biometric methods. The technology has attracted a lot of attention. Unfortunately, extravagant claims that proved difficult to substantiate cooled much of the enthusiasm. It is not overly difficult to match two static images. Picking an individual out of a group as some systems claim to be able to do is another matter entirely. Progress continues to be made with this young technology, but to date facial recognition systems have had some success in practical applications.
The FaceIT PC desktop software, which sells for $150, is used on a PC with a video camera. The system automatically detects human presence, locates and tracks faces, and identifies people. The recognition process, which is based on 64 features of the face, takes less than a second. When the user steps away from the computer, FaceIT becomes a screensaver and locks the computer. The machine is unlocked only when the computer detects and recognizes the user. Files are secured through encryption. The technology has been or will be used in other applications, including ATMs, airport passenger and baggage security, and border crossings.
Imagis' proprietary technology uses more than 692 facial desciptors to capture and identify a face. This is ten times more than other technologies. At the very heart of Imagis' technology is a unique method of capturing facial data that is intrinsically more accurate. Whereas other solutions are limited through their reliance on outmoded facial recognition methods, Imagis uses a combination of spectral analysis and 3-D modeling to locate and fit a face, identifying over 692 facial descriptors in the process.
Once a face has been identified, it is converted into a deformable surface model. This surface modeling allows the face detection to work accurately with an infinite number of face shapes. Unlike other solutions, ID- 2000 works equally well with all races and genders and is not fooled by a change in hairstyles, or the growth/ shaving of a beard. Once a face has been captured and rendered, the software uses a proprietary algorithm to produce a wavelet that is unique to that image. It is this wavelet (compressed and encoded) that is used to make comparisons quickly in both one-to- one and one-to-many searches.
Vein Biometric Systems Vein biometric systems record subcutaneous Infra Red absorption patterns to produce unique and private identification templates for users. Veins and other subcutaneous features present large, robust, stable and largely hidden patterns. Subcutaneous features can be conveniently imaged within the wrist, palm, and dorsal surfaces of the hand. The technology is a vascular barcode reader for people! The technology can be applied to small personal biometric systems, generic biometric applications including intelligent door handles, door locks etc.
Vein Biometric Systems Vein pattern IR. grey-scale images are binarized, compressed and stored within a relational database of 2D vein images. Subjects are verified against a reference template in under 200ms providing fast, robust biometric authentication.
Biometrics - Advantages Cant be lent like a physical key or token and cant be forgotten like a password Good compromise between ease of use, template size, cost and accuracy Biometrics contains enough inherent variability to enable unique identification even in very large (millions of records) databases Basically lasts forever - or at least until amputation or dismemberment Makes network login & authentication effortless
Biometrics - Disadvantages Still relatively expensive per user Companies and products are often new and immature No common API (Application Protocol Interface) or other standard Some hesitancy for user acceptance
Biometrics - Practical Applications Network access control Staff time and attendance tracking Authorizing financial transactions Government benefits distribution (Pension, welfare, etc.) Verifying identities at point of sale Using in conjunction with ATM, credit or smart cards Controlling physical access to office buildings or homes Protecting personal property Voting/Passports/Visas & Immigration
Biometrics - Privacy Issues Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour Anonymity - Biometrics links to databases could dissolve much of our anonymity when we travel and access services Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
Biometrics - Tenets The indiscriminate and inappropriate application of biometric technologies will enslave us all. Biometric technologies should be used to provide individuals with enhanced privacy, security, autonomy and convenience. Users must insist on the application of personal biometric systems, where they own and control their own biometric data. The implementation of biometric technologies must safeguard the rights and privileges of the individual whilst maintaining the security of the community. Biometric technologies should not be used as tools to manage, control, marginalize or segregate groups or minorities within the population.
Deadman Door Locks This system uses a pair of doors, between which is a holding area. For the inside door to operate, the outside door must lock and close, with only the authorized person within the holding area. This can reduce the risk of piggybacking, where an unauthorized person follows a authorized person into a restricted area. Similar to the airlocks present in spacecraft.
Computing Facility Walls True Floor to Ceiling Fire Rating (at least 1 hour) Penetrations Adjacent Areas Doors Interior/Exterior Hinges Fire Rating Alarms Monitoring
Windows/Openings Interior/Exterior Fixed Shatterproof Computer and Equipment Room Lay Out Equipment Access Storage Occupied Areas Water Sources Cable Routing Computing Facility
Electrical Power Definitions: Blackout - Loss of Power Brownout - Prolonged Period of Below Normal Voltage Noise - Random Disturbance that Interferes with a Device Sag - Short Period of Low Voltage Spike - Momentary High Voltage Surge - Prolonged High Voltage Transient - Line Noise/Disturbance at Normal Voltage Electrical Power
Electrical Power Controls Dedicated Circuits Controlled Access to: –Power Distribution Panels –Master Circuit Breakers –Transformers –Feeder Cables Emergency Power Off Controls Voltage Monitoring/Recording Surge Protection Electrical Power
Backup Power Alternate Feeders Un-interruptible Power Supply Emergency Power Generator Electrical Power
Backup Power Requirements Lighting Physical Access Control Systems Fire Protection Systems Computing Equipment - Mainframes, Servers, etc Communications Equipment Telephone Systems Air Conditioning Electrical Power
Dedicated Controllable Independent Power Emergency Shut Off Controls Positive Pressure Protected Air Intakes Monitoring Air-conditioning
Humidity Controls Risk of Static Electricity Risk to Electric Connections Air Quality (Dust) Water Protection Falling Water Rising Water Drains Protective Coverings Moisture Detection Systems Other Controls
Fire Prevention & Protection Fire Elements: Fuel Oxygen Temperature Causes Of Computer Center Fires #1: Electrical Distribution Systems #2: Equipment Fire Classes A: Common Combustibles (use Water/Soda Acid) B: Liquid (CO2/Soda Acid/Halon) C: Electrical (CO2/Halon)
Fire Prevention & Protection Temperatures When Damage Occurs Paper Products: 350 o Computer Equipment:175 o Disks:150 o Magnetic Media:100 o
Fire Detection Manual Optical (Photoelectric-Smoke Blocking Light) Temperature Ionization (Reaction to Charged Particles in Smoke)
Fire Detectors On Ceilings Above Suspended Ceilings Beneath Raised Floors Return Air Ducts Cross-Zoning
Fire Alarms Manual & Automated Activation Visual & Audible Indication Local & Remote Annunciation
Fire Suppression - Portable Ext. Portable Extinguishers At Exits Mark Locations and Type Types A, B & C Need to Inspect
Fire Suppression - Water Dry Pipe Systems: Less Risk of Leakage Employ in Throughout Building and in all Spaces Works to Lower Temperature Most Damaging to Equipment Conventional Systems
Fire Suppression - CO 2 Colorless/Odorless Potentially Lethal Removes Oxygen Best for Unattended Facilities Delayed-Activation in Manned Facilities
Fire Suppression - Halon Best Protection for Equipment –Inside Equipment Cabinets/Vaults –Special Areas –Above Suspended Ceilings –Under Raised Floors Concentrations <10% are Safe Becomes Toxic at 900 o Depletes Ozone (CFCs) Halon 1301: Requires Pressurization Halon 1211: Self-Pressurization (Portable Extinguishers)
Securing Storage Areas Forms Storage Rooms Increased Threat of Fire Combustibles Access Controls Media Storage Rooms Media Sensitivity Segregation Access Controls Environmental Controls
Media Protection Storage Media Libraries/Special Rooms Cabinets Vaults Location Operational Off-Site Transportation
Protecting Wiring Optical Fiber Copper Wire Certifying the Wiring and Cabling Controlling Access to Closets and Riser Rooms
Other Considerations Dealing with Existing Facilities Planning Upgrade/Renovation Incremental New Construction Protecting the Protection Implement Physical and Environmental Controls for Security Systems Protect against both Intentional and Inadvertent Threats
Other Terms & Abbreviations Tailgate Piggy-Back Stay Behind Degauss Remanence Mantrap Pass-Back Dumpster Diving Montreal Protocol Duress Alarm Tamper Alarm Passive Ultrasonic Fail Safe/Fail Soft EPO IDS Shoulder Surfing Electronic Emanation Tsunami RFI Defense in Depth EMI Top Guard