1. Physical Security
& Biometrics
By Prashant Mali

2. Objectives
To address the threats, vulnerabilities, and countermeasures which can be utilized to physically protect an enterprise’s resources and sensitive information to include people, facilities, data, equipment, support systems, media, and supplies.
To discuss considerations for choosing a secure site, its design and configuration, and the methods for securing the facility against unauthorized access, theft of equipment and information, and the environmental and safety measures needed to protect people, the facility, and its resources.

3. Session Agenda 1. Physical Access Threats and Exposures
2. Site Location and Design
3. Physical Access Controls
4. Environmental Protection
5. Audit And Evaluation of Physical Access Controls

4. Threat Components Threat Components Agents Motives Results
Human Threats
Theft
Vandalism
Sabotage
Espionage
Errors
Blackmail

5. Human Threats Exposures resulting by means of Unauthorized entry
Damage, vandalism and theft of equipment or documents
Copying, viewing, or alteration of sensitive information
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement

6. Human Threats Possible perpetrators can be employees who are:
Disgruntled or on strike
Experiencing financial or emotional problems
Threatened with disciplinary action
Addicted to a substance or gambling
Notified of their termination
Hired by a competing company

7. Personnel Access Controls
Position Sensitivity Designation
Management Review of Access Lists
Background Screening/Re-Screening
Termination/Transfer Controls
Counseling for Disgruntled Employees

8. External / Internal Threats
External Threats
Wind/Tornado
Flooding
Lightning
Earthquake
Cold and Ice
Fire
Chemical
Internal Physical Threats
Environmental Failure
Electrical Interruption

9. External / Internal Threats
Are hardware facilities controlled to reduce the risk of unauthorized access?
Are hardware facilities reasonably protected against forced entry?
Are smart terminals locked or otherwise secured to prevent removal of boards, chips, or the entire computer itself?
Are authorized passes required before computer equipment can be removed from its normally secure environment?

10. External / Internal Threats
Facilities to be protected:
Computer room, operator consoles, and terminals
Programming area
Tape library, disks, and all magnetic media
Storage room and supplies
Off-site backup file storage facility
Input / Output control room
Power sources
Disposal sites

11. Site Location and Design
Local Crime
Visibility
Emergency Access
Natural Hazards
Air and Surface Traffic
Joint Tenants
Stable Power Supply
Existing Boundary Protection (Barriers/Fencing/Gates)

12. Site Boundary Protection
Area Designation: Facilitates Enforcement
Vehicular Access
Personnel Access
Occupants
Visitors (Escort & Logging)
Fences
Deter Casual Trespassing
Compliments Other Access Controls
Aesthetics
Won’t Stop Determined Intruder

13. Site Boundary Protection
Lighting
Entrances
Parking Areas
Critical Areas
Perimeter Detection Systems
Does Not Prevent Penetration
Alerts Response Force
Requires Response
Nuisance Alarms
Costly

14. Site Boundary Protection
CCTV (Closed Circuit TV)
Efficiency
Requires Human Response
Limitations
Staffing
Access Control Points
Patrols
Employees

15. Physical Access Controls
Guards
Fences
Barriers
Lighting
Keys and Locks
Badges
Escorts
Property Controls
Monitoring/Detection Systems

16. Physical Access Controls
Common Physical Access controls are:
Computer Terminal Locks
Video Cameras
Security Guards, Alarm System
Controlled Visitor Access
Bonded personnel
Confidential Location of Sensitive Facilities
Controlled Single point of Entry and Exit
Motion Detection System

17. Physical Access Controls
Common Physical Access controls are:
Bolting Door Locks
Cipher or Keypad Locks
Electronic Door Locks
Biometric Access Controls
Deadman Door Locks
Manual Logging, Electronic Logging
Identification Badges

18. Environmental Protection
Computing Facility
Electrical Power controls
Air Conditioning
Fire Prevention, Detection, and Suppression
Media Storage Protection
Other Considerations

19. Audit and Evaluation Check the location of: All operator consoles
Printer rooms
Computer storage rooms
UPS/Generator rooms
Communications equipment
Tape library
Off-site storage facility

20. Audit and Evaluation Check the following paths of physical entry:
All entry doors
Glass windows and walls
Movable walls and modular furniture
Above false ceilings and below raised floors
Ventilation systems

21. Keypad Locks Electronic (Keypad Systems): Digital Keyboard
Number of Combinations
Number of Digits in Code
Frequency of Code Change
Error Lock-Out
Error Alarms

22. Keypad Locks

23. Electronic Door Locks
The system uses a magnetic or embedded chip-based plastic card to be used as a swipe card to gain access to a restricted area.
Through a special internal code, cards can be assigned to an identifiable individual
Individuals can be given selective access to areas based on needs, time of day restrictions, etc.
The cards should be difficult to duplicate.
Card entry can be easily deactivated for terminated employees or if a card is reported lost or stolen.

24. Access Controls - Dumb Cards
Photo Identification Badges
Manual Visual Verification
Can be Combined with Smart Technology

25. Access Controls - Smart Cards
Digital Coded (Smart) Cards
Often Require Use of PIN Number with Card
Card Readers: Card Insertion, Card Swipe & Proximity

27. Types of Access Cards Photo ID Cards
Optical Coded Cards (Magnetic Dot)
Electric Circuit Cards (Embedded Wire)
Magnetic Cards (Magnetic Particles)
Metallic Stripe Card (Copper Strips)

28. Types of Access Cards
GemClub Memo has been winning the confidence of application developers since GemClub Memo is the proven and the secure Memory technology in the smart card market, with several million of cards in the field and 100 live applications such as:
Public ( Transportation, driving license, health care, fleet cards),
Reward (loyalty, Voucher, Pre paid...)
Access control (logical or physical).
Electronic purse (in closed payment schemes),

29. Biometrics - Access Controls
Authenticating a user via human characteristics
An individual’s unique body features such as fingerprint, signature, voice, retina can be used to identify the individual.
Complicated and expensive
Used for extremely sensitive facilities, such as in the military

30. Biometrics - Access Controls
Fingerprint/Thumbprint Scan
Hand Geometry
Voice Verification
Retinal Scanning
Iris Scanning
Signature Verification
Facial Recognition
Keystroke Recorders
Vein Biometric Systems

31. Fingerprint Verification
Fingerprint scanning products are the most common type on the market today. Properly implemented, fingerprints offer potential for high accuracy.
The readers tend to be small - easily incorporated into a keyboard for example
Have a relatively low cost, and integration is usually easy.
Cuts or dirt on the finger can cause some systems not to recognize a valid fingerprint.
Some fingerprint scanners will scan for pulse as well as the fingerprint.

32. The State of Connecticut began using fingerprint readers in 1996 to catch welfare cheats who came in to pickup cheques.
The fingerprint scanners, which cost about $200 from Identix Corp., use a digital camera to capture the fingerprints. Imaging software from National Registry Inc. is used to compare the scanned image with the one stored on a server.
The $5.1 million project is said to have saved the state $9 million in welfare fraud.

33. DigitalPersona U.are.U Personal
DigitalPersona has released a new version of its consumer-friendly fingerprint reader, the DigitalPersona U.are.U Personal. The software replaces passwords for Microsoft Windows XP, creating a more secure and more convenient solution for homes and small businesses where one PC serves many masters. Though not perfect, the U.are.U is a trouble- free convenience that will help protect your privacy.

34. I/O Software, a California company, is marketing a fingerprint ID system to control access to a computer right after it is turned on, before booting.
Their system uses Sony’s Fingerprint Identification Unit, which plugs into the serial port. If the fingerprint does not match, the system stops the computer’s Basic Input Output System (BIOS) from starting up.

35. Sony FIU-710
PC Magazine - The Puppy was the only model we evaluated that performed flawlessly on all of our tests, enrolling and verifying percent of our test subjects - though we could enroll only 10 people on the Puppy, as opposed to 100 on the other devices. Plus we were able to shuttle it easily among different PCs.

36. TimeCentre's BioMouse It is the world's first mouse to offer total PC and network security with the touch of a finger!
Bring fingerprint recognition technology to a workstation! Positively identify who is accessing the PC and who is clocking in each day. The BioMouse can be used in conjunction with TimeCentre's PC entry and browser-based PC entry system on a workstation or kiosk. In a PC kiosk environment, the BioMouse can insure the identity of each valid user.

38. Hand Geometry
Hand Geometry measure the physical characteristics of the user’s hand and fingers.
Hand geometry is one of the most established methods and typically offers a good balance of performance and ease of use.
Hand geometry is most widely used in physical access control and time/attendance systems. It is not currently in wide deployment for computer security applications primarily because it requires a large scanner.

39. Biometric Hand Punch TimeCentre's Hand Punch clocks positively identify each employee by the unique size and shape of his or her hand, increasing the security and accuracy of your company's time data. It is the perfect balance between security and convenience.
Eliminates "buddy punching" and guarantees the accuracy of your punch data
Eliminates early-in punches
Eliminates unauthorized overtime punches
No cards or badges are needed to utilize the TimeCentre Biometric Hand Punch. The employee's hand is their time card!

40. Sensar is offering their iris recognition system to ATM manufacturers as an alternative to passwords and PINs. When a bank card is inserted into an ATM machine, a stereo camera locates the person’s face, zooms in on the eye, and takes a digital photograph of the eye. The features in the eye are then compared with one provided to the bank when the customer signed up.
All this can be done in less then two seconds at a distance of up to 3 feet. The system is expected to add $2,000 to $3,000 to the cost of an average ATM machine, which now can cost up to $40,000.
Several banks are testing Sensar’s system, including banks in the United States, United Kingdom, and Japan.

41. Voice Recognition
Voice Recognition is perhaps the method most desirable to users since everyone seems to want to talk to computers.
In practice, implementation is extremely difficult. While recent advances in voice recognition have greatly improved the technology, it is still subject to problems.
Local acoustics, background noise, microphone quality, the common cold, anxiety, being in a hurry, and anger can all alter the human voice enough to make voice recognition difficult or impossible.
Further, voice recognition systems tend to have the most difficult and time-consuming enrollment process and require the most space for template storage.

42. In February 1998, Periphonics Corp
In February 1998, Periphonics Corp., a maker of interactive voice response systems, announced they would integrate voice identification into their automated call processing applications. The system could be used by banks and credit card companies which rely heavily on interactive call systems.
When a customer phones for service, the system asks for a password. The voice sample is then compared with one taken during initialization. Periphonics says the error rate is around 1% to 2%.
The attraction of voice recognition is that it can be performed over the phone system without the need for special cameras or other equipment.

43. Retinal Scanning
Retinal Scanning is well established and can provide high accuracy.
User acceptance may be a problem however – “You’re not shooting a laser into my eye!” In reality, retinal scanners do not employ a laser, but scan using low intensity light and are considered quite safe.
One drawback is that the user must look directly into the retinal reader. This is inconvenient for eyeglass wearers.
In public applications, there may also be concerns with the spread of germs because of the need for physical contact with the retinal scanner.
Another problem is that the user must focus on a given point for the scan. Failure to focus correctly causes a significant impact on accuracy.

44. The EyeDentify® Biometric Retina Reader provides dual level access security. A keypad code requires Retina pattern verification which takes less than two seconds from up to 3” away. Retinal vascular patterns are the most accurate biometric recognition features which provides the highest level of biometric security. Can be easily interfaced with ECS Access Control systems or used in stand alone applications.

45. Iris Scanning
Iris Scanning overcomes most of the problems of retinal scanners.
Because the iris (the colored part of the eye) is visible from a distance, direct contact with the scanner is not required nor is it necessary to remove eyeglasses.
The technology works by scanning the unique random patterns of the iris.
Interestingly, the method does not rely on the iris color (the camera used is black-and-white). This is important because of the popularity of colored contact lenses – some vendors claim their systems will work with colored contacts and even through non-reflective sunglasses.

46. Panasonic Authenticam
Iris Recognition Camera
In 1994, Iridian's John Daugman introduced the concept of iris recognition technology—capturing the unique patterns in a human iris to authenticate identity. Like fingerprints, no two irises are alike.
The Authenticam verifies a user's identity by scanning the person's iris and matching the pattern with the template stored at enrollment. Unlike a retinal scanner, which captures information necessary for authentication by shooting a laser beam into the eye while the user is in contact with the device, the iris scanner allows the user to be about 20 inches away from the camera.

47. Signature Verification
Signature Verification enjoys a synergy the other technologies do not since people are used to signing for things.
There is a greater feeling of normalcy. While signature verification has proved to be relatively accurate, very few products available implement the technology.

48. Facial Recognition
Facial recognition is one of the newest biometric methods. The technology has attracted a lot of attention.
Unfortunately, extravagant claims that proved difficult to substantiate cooled much of the enthusiasm.
It is not overly difficult to match two static images.
Picking an individual out of a group as some systems claim to be able to do is another matter entirely.
Progress continues to be made with this young technology, but to date facial recognition systems have had some success in practical applications.

49. The FaceIT PC desktop software, which sells for $150, is used on a PC with a video camera. The system automatically detects human presence, locates and tracks faces, and identifies people.
The recognition process, which is based on 64 features of the face, takes less than a second. When the user steps away from the computer, FaceIT becomes a screensaver and locks the computer. The machine is unlocked only when the computer detects and recognizes the user. Files are secured through encryption.
The technology has been or will be used in other applications, including ATMs, airport passenger and baggage security, and border crossings.

50. Imagis' proprietary technology uses more than 692 facial desciptors to capture and identify a face. This is ten times more than other technologies. At the very heart of Imagis' technology is a unique method of capturing facial data that is intrinsically more accurate. Whereas other solutions are limited through their reliance on outmoded facial recognition methods, Imagis uses a combination of spectral analysis and 3-D modeling to locate and fit a face, identifying over 692 facial descriptors in the process.

51. Once a face has been identified, it is converted into a deformable surface model. This surface modeling allows the face detection to work accurately with an infinite number of face shapes. Unlike other solutions, ID works equally well with all races and genders and is not fooled by a change in hairstyles, or the growth/ shaving of a beard.
Once a face has been captured and rendered, the software uses a proprietary algorithm to produce a wavelet that is unique to that image. It is this wavelet (compressed and encoded) that is used to make comparisons quickly in both one-to- one and one-to-many searches.

52. Vein Biometric Systems
Vein biometric systems record subcutaneous Infra Red absorption patterns to produce unique and private identification templates for users.
Veins and other subcutaneous features present large, robust, stable and largely hidden patterns. Subcutaneous features can be conveniently imaged within the wrist, palm, and dorsal surfaces of the hand.
The technology is a vascular barcode reader for people!
The technology can be applied to small personal biometric systems, generic biometric applications including intelligent door handles, door locks etc.

53. Vein Biometric Systems
Vein pattern IR. grey-scale images are binarized, compressed and stored within a relational database of 2D vein images. Subjects are verified against a reference template in under 200ms providing fast, robust biometric authentication.

54. Biometrics - Advantages
Can’t be lent like a physical key or token and can’t be forgotten like a password
Good compromise between ease of use, template size, cost and accuracy
Biometrics contains enough inherent variability to enable unique identification even in very large (millions of records) databases
Basically lasts forever - or at least until amputation or dismemberment
Makes network login & authentication effortless

55. Biometrics - Disadvantages
Still relatively expensive per user
Companies and products are often new and immature
No common API (Application Protocol Interface) or other standard
Some hesitancy for user acceptance

56. Biometrics - Practical Applications
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Pension, welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes
Protecting personal property
Voting/Passports/Visas & Immigration

57. Biometrics - Privacy Issues
Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour
Anonymity - Biometrics links to databases could dissolve much of our anonymity when we travel and access services
Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs

58. Biometrics - Tenets
The indiscriminate and inappropriate application of biometric technologies will enslave us all.
Biometric technologies should be used to provide individuals with enhanced privacy, security, autonomy and convenience.
Users must insist on the application of personal biometric systems, where they own and control their own biometric data.
The implementation of biometric technologies must safeguard the rights and privileges of the individual whilst maintaining the security of the community.
Biometric technologies should not be used as tools to manage, control, marginalize or segregate groups or minorities within the population.

59. Deadman Door Locks
This system uses a pair of doors, between which is a holding area.
For the inside door to operate, the outside door must lock and close, with only the authorized person within the holding area.
This can reduce the risk of piggybacking, where an unauthorized person follows a authorized person into a restricted area.
Similar to the airlocks present in spacecraft.

60. Computing Facility Walls True Floor to Ceiling
Fire Rating (at least 1 hour)
Penetrations
Adjacent Areas
Doors
Interior/Exterior
Hinges
Fire Rating
Alarms
Monitoring

61. Computing Facility Windows/Openings Interior/Exterior Fixed
Shatterproof
Computer and Equipment Room Lay Out
Equipment Access
Storage
Occupied Areas
Water Sources
Cable Routing

62. Electrical Power Electrical Power Definitions:
Blackout - Loss of Power
Brownout - Prolonged Period of Below Normal Voltage
Noise - Random Disturbance that Interferes with a Device
Sag - Short Period of Low Voltage
Spike - Momentary High Voltage
Surge - Prolonged High Voltage
Transient - Line Noise/Disturbance at Normal Voltage

63. Electrical Power Electrical Power Controls Dedicated Circuits
Controlled Access to:
Power Distribution Panels
Master Circuit Breakers
Transformers
Feeder Cables
Emergency Power Off Controls
Voltage Monitoring/Recording
Surge Protection

64. Electrical Power Backup Power Alternate Feeders
Un-interruptible Power Supply
Emergency Power Generator

65. Electrical Power Backup Power Requirements Lighting
Physical Access Control Systems
Fire Protection Systems
Computing Equipment - Mainframes, Servers, etc
Communications Equipment
Telephone Systems
Air Conditioning

66. Air-conditioning Dedicated Controllable Independent Power
Emergency Shut Off Controls
Positive Pressure
Protected Air Intakes
Monitoring

67. Other Controls Humidity Controls Risk of Static Electricity
Risk to Electric Connections
Air Quality (Dust)
Water Protection
Falling Water
Rising Water
Drains
Protective Coverings
Moisture Detection Systems

68. Fire Prevention & Protection
Fire Elements:
Fuel
Oxygen
Temperature
Causes Of Computer Center Fires
#1: Electrical Distribution Systems
#2: Equipment
Fire Classes
A: Common Combustibles (use Water/Soda Acid)
B: Liquid (CO2/Soda Acid/Halon)
C: Electrical (CO2/Halon)

69. Fire Prevention & Protection
Temperatures When Damage Occurs
Paper Products: 350o
Computer Equipment: 175o
Disks: o
Magnetic Media: 100o

70. Fire Detection Manual Optical (Photoelectric-Smoke Blocking Light)
Temperature
Ionization (Reaction to Charged Particles in Smoke)

71. Fire Detectors On Ceilings Above Suspended Ceilings
Beneath Raised Floors
Return Air Ducts
Cross-Zoning

72. Fire Alarms Manual & Automated Activation Visual & Audible Indication
Local & Remote Annunciation

73. Fire Suppression - Portable Ext.
Portable Extinguishers
At Exits
Mark Locations and Type
Types A, B & C
Need to Inspect

74. Fire Suppression - Water
“Dry Pipe” Systems: Less Risk of Leakage
Employ in Throughout Building and in all Spaces
Works to Lower Temperature
Most Damaging to Equipment
Conventional Systems

75. Fire Suppression - CO2 Colorless/Odorless Potentially Lethal
Removes Oxygen
Best for Unattended Facilities
Delayed-Activation in Manned Facilities

76. Fire Suppression - Halon
Best Protection for Equipment
Inside Equipment Cabinets/Vaults
Special Areas
Above Suspended Ceilings
Under Raised Floors
Concentrations <10% are Safe
Becomes Toxic at 900o
Depletes Ozone (CFCs)
Halon 1301: Requires Pressurization
Halon 1211: Self-Pressurization (Portable Extinguishers)

77. Securing Storage Areas
Forms Storage Rooms
Increased Threat of Fire
Combustibles
Access Controls
Media Storage Rooms
Media Sensitivity
Segregation
Access Controls
Environmental Controls

78. Media Protection Storage Media Libraries/Special Rooms Cabinets Vaults
Location
Operational
Off-Site
Transportation

79. Protecting Wiring Optical Fiber Copper Wire
Certifying the Wiring and Cabling
Controlling Access to Closets and Riser Rooms

80. Other Considerations Dealing with Existing Facilities Planning
Upgrade/Renovation
Incremental New Construction
Protecting the Protection
Implement Physical and Environmental Controls for Security Systems
Protect against both Intentional and Inadvertent Threats

81. Other Terms & Abbreviations
Tailgate
Piggy-Back
Stay Behind
Degauss
Remanence
Mantrap
Pass-Back
Dumpster Diving
Montreal Protocol
Duress Alarm
Tamper Alarm
Passive Ultrasonic
Fail Safe/Fail Soft
EPO
IDS
Shoulder Surfing
Electronic Emanation
Tsunami
RFI
Defense in Depth
EMI
Top Guard

82. Thank You