2ObjectivesTo address the threats, vulnerabilities, and countermeasures which can be utilized to physically protect an enterprise’s resources and sensitive information to include people, facilities, data, equipment, support systems, media, and supplies.To discuss considerations for choosing a secure site, its design and configuration, and the methods for securing the facility against unauthorized access, theft of equipment and information, and the environmental and safety measures needed to protect people, the facility, and its resources.
3Session Agenda 1. Physical Access Threats and Exposures 2. Site Location and Design3. Physical Access Controls4. Environmental Protection5. Audit And Evaluation of Physical Access Controls
4Threat Components Threat Components Agents Motives Results Human ThreatsTheftVandalismSabotageEspionageErrorsBlackmail
5Human Threats Exposures resulting by means of Unauthorized entry Damage, vandalism and theft of equipment or documentsCopying, viewing, or alteration of sensitive informationPublic disclosure of sensitive informationAbuse of data processing resourcesBlackmailEmbezzlement
6Human Threats Possible perpetrators can be employees who are: Disgruntled or on strikeExperiencing financial or emotional problemsThreatened with disciplinary actionAddicted to a substance or gamblingNotified of their terminationHired by a competing company
7Personnel Access Controls Position Sensitivity DesignationManagement Review of Access ListsBackground Screening/Re-ScreeningTermination/Transfer ControlsCounseling for Disgruntled Employees
9External / Internal Threats Are hardware facilities controlled to reduce the risk of unauthorized access?Are hardware facilities reasonably protected against forced entry?Are smart terminals locked or otherwise secured to prevent removal of boards, chips, or the entire computer itself?Are authorized passes required before computer equipment can be removed from its normally secure environment?
10External / Internal Threats Facilities to be protected:Computer room, operator consoles, and terminalsProgramming areaTape library, disks, and all magnetic mediaStorage room and suppliesOff-site backup file storage facilityInput / Output control roomPower sourcesDisposal sites
11Site Location and Design Local CrimeVisibilityEmergency AccessNatural HazardsAir and Surface TrafficJoint TenantsStable Power SupplyExisting Boundary Protection (Barriers/Fencing/Gates)
12Site Boundary Protection Area Designation: Facilitates EnforcementVehicular AccessPersonnel AccessOccupantsVisitors (Escort & Logging)FencesDeter Casual TrespassingCompliments Other Access ControlsAestheticsWon’t Stop Determined Intruder
14Site Boundary Protection CCTV (Closed Circuit TV)EfficiencyRequires Human ResponseLimitationsStaffingAccess Control PointsPatrolsEmployees
15Physical Access Controls GuardsFencesBarriersLightingKeys and LocksBadgesEscortsProperty ControlsMonitoring/Detection Systems
16Physical Access Controls Common Physical Access controls are:Computer Terminal LocksVideo CamerasSecurity Guards, Alarm SystemControlled Visitor AccessBonded personnelConfidential Location of Sensitive FacilitiesControlled Single point of Entry and ExitMotion Detection System
17Physical Access Controls Common Physical Access controls are:Bolting Door LocksCipher or Keypad LocksElectronic Door LocksBiometric Access ControlsDeadman Door LocksManual Logging, Electronic LoggingIdentification Badges
18Environmental Protection Computing FacilityElectrical Power controlsAir ConditioningFire Prevention, Detection, and SuppressionMedia Storage ProtectionOther Considerations
19Audit and Evaluation Check the location of: All operator consoles Printer roomsComputer storage roomsUPS/Generator roomsCommunications equipmentTape libraryOff-site storage facility
20Audit and Evaluation Check the following paths of physical entry: All entry doorsGlass windows and wallsMovable walls and modular furnitureAbove false ceilings and below raised floorsVentilation systems
21Keypad Locks Electronic (Keypad Systems): Digital Keyboard Number of CombinationsNumber of Digits in CodeFrequency of Code ChangeError Lock-OutError Alarms
23Electronic Door LocksThe system uses a magnetic or embedded chip-based plastic card to be used as a swipe card to gain access to a restricted area.Through a special internal code, cards can be assigned to an identifiable individualIndividuals can be given selective access to areas based on needs, time of day restrictions, etc.The cards should be difficult to duplicate.Card entry can be easily deactivated for terminated employees or if a card is reported lost or stolen.
24Access Controls - Dumb Cards Photo Identification BadgesManual Visual VerificationCan be Combined with Smart Technology
25Access Controls - Smart Cards Digital Coded (Smart) CardsOften Require Use of PIN Number with CardCard Readers: Card Insertion, Card Swipe & Proximity
28Types of Access CardsGemClub Memo has been winning the confidence of application developers since GemClub Memo is the proven and the secure Memory technology in the smart card market, with several million of cards in the field and 100 live applications such as:Public ( Transportation, driving license, health care, fleet cards),Reward (loyalty, Voucher, Pre paid...)Access control (logical or physical).Electronic purse (in closed payment schemes),
29Biometrics - Access Controls Authenticating a user via human characteristicsAn individual’s unique body features such as fingerprint, signature, voice, retina can be used to identify the individual.Complicated and expensiveUsed for extremely sensitive facilities, such as in the military
31Fingerprint Verification Fingerprint scanning products are the most common type on the market today. Properly implemented, fingerprints offer potential for high accuracy.The readers tend to be small - easily incorporated into a keyboard for exampleHave a relatively low cost, and integration is usually easy.Cuts or dirt on the finger can cause some systems not to recognize a valid fingerprint.Some fingerprint scanners will scan for pulse as well as the fingerprint.
32The State of Connecticut began using fingerprint readers in 1996 to catch welfare cheats who came in to pickup cheques.The fingerprint scanners, which cost about $200 from Identix Corp., use a digital camera to capture the fingerprints. Imaging software from National Registry Inc. is used to compare the scanned image with the one stored on a server.The $5.1 million project is said to have saved the state $9 million in welfare fraud.
33DigitalPersona U.are.U Personal DigitalPersona has released a new version of its consumer-friendly fingerprint reader, the DigitalPersona U.are.U Personal. The software replaces passwords for Microsoft Windows XP, creating a more secure and more convenient solution for homes and small businesses where one PC serves many masters. Though not perfect, the U.are.U is a trouble- free convenience that will help protect your privacy.
34I/O Software, a California company, is marketing a fingerprint ID system to control access to a computer right after it is turned on, before booting.Their system uses Sony’s Fingerprint Identification Unit, which plugs into the serial port. If the fingerprint does not match, the system stops the computer’s Basic Input Output System (BIOS) from starting up.
35Sony FIU-710PC Magazine - The Puppy was the only model we evaluated that performed flawlessly on all of our tests, enrolling and verifying percent of our test subjects - though we could enroll only 10 people on the Puppy, as opposed to 100 on the other devices. Plus we were able to shuttle it easily among different PCs.
36TimeCentre's BioMouse It is the world's first mouse to offer total PC and network security with the touch of a finger!Bring fingerprint recognition technology to a workstation! Positively identify who is accessing the PC and who is clocking in each day. The BioMouse can be used in conjunction with TimeCentre's PC entry and browser-based PC entry system on a workstation or kiosk. In a PC kiosk environment, the BioMouse can insure the identity of each valid user.
38Hand GeometryHand Geometry measure the physical characteristics of the user’s hand and fingers.Hand geometry is one of the most established methods and typically offers a good balance of performance and ease of use.Hand geometry is most widely used in physical access control and time/attendance systems. It is not currently in wide deployment for computer security applications primarily because it requires a large scanner.
39Biometric Hand Punch TimeCentre's Hand Punch clocks positively identify each employee by the unique size and shape of his or her hand, increasing the security and accuracy of your company's time data. It is the perfect balance between security and convenience.Eliminates "buddy punching" and guarantees the accuracy of your punch dataEliminates early-in punchesEliminates unauthorized overtime punchesNo cards or badges are needed to utilize the TimeCentre Biometric Hand Punch. The employee's hand is their time card!
40Sensar is offering their iris recognition system to ATM manufacturers as an alternative to passwords and PINs. When a bank card is inserted into an ATM machine, a stereo camera locates the person’s face, zooms in on the eye, and takes a digital photograph of the eye. The features in the eye are then compared with one provided to the bank when the customer signed up.All this can be done in less then two seconds at a distance of up to 3 feet. The system is expected to add $2,000 to $3,000 to the cost of an average ATM machine, which now can cost up to $40,000.Several banks are testing Sensar’s system, including banks in the United States, United Kingdom, and Japan.
41Voice RecognitionVoice Recognition is perhaps the method most desirable to users since everyone seems to want to talk to computers.In practice, implementation is extremely difficult. While recent advances in voice recognition have greatly improved the technology, it is still subject to problems.Local acoustics, background noise, microphone quality, the common cold, anxiety, being in a hurry, and anger can all alter the human voice enough to make voice recognition difficult or impossible.Further, voice recognition systems tend to have the most difficult and time-consuming enrollment process and require the most space for template storage.
42In February 1998, Periphonics Corp In February 1998, Periphonics Corp., a maker of interactive voice response systems, announced they would integrate voice identification into their automated call processing applications. The system could be used by banks and credit card companies which rely heavily on interactive call systems.When a customer phones for service, the system asks for a password. The voice sample is then compared with one taken during initialization. Periphonics says the error rate is around 1% to 2%.The attraction of voice recognition is that it can be performed over the phone system without the need for special cameras or other equipment.
43Retinal ScanningRetinal Scanning is well established and can provide high accuracy.User acceptance may be a problem however – “You’re not shooting a laser into my eye!” In reality, retinal scanners do not employ a laser, but scan using low intensity light and are considered quite safe.One drawback is that the user must look directly into the retinal reader. This is inconvenient for eyeglass wearers.In public applications, there may also be concerns with the spread of germs because of the need for physical contact with the retinal scanner.Another problem is that the user must focus on a given point for the scan. Failure to focus correctly causes a significant impact on accuracy.
44The EyeDentify® Biometric Retina Reader provides dual level access security. A keypad code requires Retina pattern verification which takes less than two seconds from up to 3” away. Retinal vascular patterns are the most accurate biometric recognition features which provides the highest level of biometric security. Can be easily interfaced with ECS Access Control systems or used in stand alone applications.
45Iris ScanningIris Scanning overcomes most of the problems of retinal scanners.Because the iris (the colored part of the eye) is visible from a distance, direct contact with the scanner is not required nor is it necessary to remove eyeglasses.The technology works by scanning the unique random patterns of the iris.Interestingly, the method does not rely on the iris color (the camera used is black-and-white). This is important because of the popularity of colored contact lenses – some vendors claim their systems will work with colored contacts and even through non-reflective sunglasses.
46Panasonic Authenticam Iris Recognition CameraIn 1994, Iridian's John Daugman introduced the concept of iris recognition technology—capturing the unique patterns in a human iris to authenticate identity. Like fingerprints, no two irises are alike.The Authenticam verifies a user's identity by scanning the person's iris and matching the pattern with the template stored at enrollment. Unlike a retinal scanner, which captures information necessary for authentication by shooting a laser beam into the eye while the user is in contact with the device, the iris scanner allows the user to be about 20 inches away from the camera.
47Signature Verification Signature Verification enjoys a synergy the other technologies do not since people are used to signing for things.There is a greater feeling of normalcy. While signature verification has proved to be relatively accurate, very few products available implement the technology.
48Facial RecognitionFacial recognition is one of the newest biometric methods. The technology has attracted a lot of attention.Unfortunately, extravagant claims that proved difficult to substantiate cooled much of the enthusiasm.It is not overly difficult to match two static images.Picking an individual out of a group as some systems claim to be able to do is another matter entirely.Progress continues to be made with this young technology, but to date facial recognition systems have had some success in practical applications.
49The FaceIT PC desktop software, which sells for $150, is used on a PC with a video camera. The system automatically detects human presence, locates and tracks faces, and identifies people.The recognition process, which is based on 64 features of the face, takes less than a second. When the user steps away from the computer, FaceIT becomes a screensaver and locks the computer. The machine is unlocked only when the computer detects and recognizes the user. Files are secured through encryption.The technology has been or will be used in other applications, including ATMs, airport passenger and baggage security, and border crossings.
50Imagis' proprietary technology uses more than 692 facial desciptors to capture and identify a face. This is ten times more than other technologies. At the very heart of Imagis' technology is a unique method of capturing facial data that is intrinsically more accurate. Whereas other solutions are limited through their reliance on outmoded facial recognition methods, Imagis uses a combination of spectral analysis and 3-D modeling to locate and fit a face, identifying over 692 facial descriptors in the process.
51Once a face has been identified, it is converted into a deformable surface model. This surface modeling allows the face detection to work accurately with an infinite number of face shapes. Unlike other solutions, ID works equally well with all races and genders and is not fooled by a change in hairstyles, or the growth/ shaving of a beard.Once a face has been captured and rendered, the software uses a proprietary algorithm to produce a wavelet that is unique to that image. It is this wavelet (compressed and encoded) that is used to make comparisons quickly in both one-to- one and one-to-many searches.
52Vein Biometric Systems Vein biometric systems record subcutaneous Infra Red absorption patterns to produce unique and private identification templates for users.Veins and other subcutaneous features present large, robust, stable and largely hidden patterns. Subcutaneous features can be conveniently imaged within the wrist, palm, and dorsal surfaces of the hand.The technology is a vascular barcode reader for people!The technology can be applied to small personal biometric systems, generic biometric applications including intelligent door handles, door locks etc.
53Vein Biometric Systems Vein pattern IR. grey-scale images are binarized, compressed and stored within a relational database of 2D vein images. Subjects are verified against a reference template in under 200ms providing fast, robust biometric authentication.
54Biometrics - Advantages Can’t be lent like a physical key or token and can’t be forgotten like a passwordGood compromise between ease of use, template size, cost and accuracyBiometrics contains enough inherent variability to enable unique identification even in very large (millions of records) databasesBasically lasts forever - or at least until amputation or dismembermentMakes network login & authentication effortless
55Biometrics - Disadvantages Still relatively expensive per userCompanies and products are often new and immatureNo common API (Application Protocol Interface) or other standardSome hesitancy for user acceptance
56Biometrics - Practical Applications Network access controlStaff time and attendance trackingAuthorizing financial transactionsGovernment benefits distribution (Pension, welfare, etc.)Verifying identities at point of saleUsing in conjunction with ATM , credit or smart cardsControlling physical access to office buildings or homesProtecting personal propertyVoting/Passports/Visas & Immigration
57Biometrics - Privacy Issues Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hourAnonymity - Biometrics links to databases could dissolve much of our anonymity when we travel and access servicesProfiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
58Biometrics - TenetsThe indiscriminate and inappropriate application of biometric technologies will enslave us all.Biometric technologies should be used to provide individuals with enhanced privacy, security, autonomy and convenience.Users must insist on the application of personal biometric systems, where they own and control their own biometric data.The implementation of biometric technologies must safeguard the rights and privileges of the individual whilst maintaining the security of the community.Biometric technologies should not be used as tools to manage, control, marginalize or segregate groups or minorities within the population.
59Deadman Door LocksThis system uses a pair of doors, between which is a holding area.For the inside door to operate, the outside door must lock and close, with only the authorized person within the holding area.This can reduce the risk of piggybacking, where an unauthorized person follows a authorized person into a restricted area.Similar to the airlocks present in spacecraft.
60Computing Facility Walls True Floor to Ceiling Fire Rating (at least 1 hour)PenetrationsAdjacent AreasDoorsInterior/ExteriorHingesFire RatingAlarmsMonitoring
62Electrical Power Electrical Power Definitions: Blackout - Loss of PowerBrownout - Prolonged Period of Below Normal VoltageNoise - Random Disturbance that Interferes with a DeviceSag - Short Period of Low VoltageSpike - Momentary High VoltageSurge - Prolonged High VoltageTransient - Line Noise/Disturbance at Normal Voltage
63Electrical Power Electrical Power Controls Dedicated Circuits Controlled Access to:Power Distribution PanelsMaster Circuit BreakersTransformersFeeder CablesEmergency Power Off ControlsVoltage Monitoring/RecordingSurge Protection
64Electrical Power Backup Power Alternate Feeders Un-interruptible Power SupplyEmergency Power Generator
65Electrical Power Backup Power Requirements Lighting Physical Access Control SystemsFire Protection SystemsComputing Equipment - Mainframes, Servers, etcCommunications EquipmentTelephone SystemsAir Conditioning
66Air-conditioning Dedicated Controllable Independent Power Emergency Shut Off ControlsPositive PressureProtected Air IntakesMonitoring
67Other Controls Humidity Controls Risk of Static Electricity Risk to Electric ConnectionsAir Quality (Dust)Water ProtectionFalling WaterRising WaterDrainsProtective CoveringsMoisture Detection Systems
68Fire Prevention & Protection Fire Elements:FuelOxygenTemperatureCauses Of Computer Center Fires#1: Electrical Distribution Systems#2: EquipmentFire ClassesA: Common Combustibles (use Water/Soda Acid)B: Liquid (CO2/Soda Acid/Halon)C: Electrical (CO2/Halon)
73Fire Suppression - Portable Ext. Portable ExtinguishersAt ExitsMark Locations and TypeTypes A, B & CNeed to Inspect
74Fire Suppression - Water “Dry Pipe” Systems: Less Risk of LeakageEmploy in Throughout Building and in all SpacesWorks to Lower TemperatureMost Damaging to EquipmentConventional Systems
75Fire Suppression - CO2 Colorless/Odorless Potentially Lethal Removes OxygenBest for Unattended FacilitiesDelayed-Activation in Manned Facilities
76Fire Suppression - Halon Best Protection for EquipmentInside Equipment Cabinets/VaultsSpecial AreasAbove Suspended CeilingsUnder Raised FloorsConcentrations <10% are SafeBecomes Toxic at 900oDepletes Ozone (CFCs)Halon 1301: Requires PressurizationHalon 1211: Self-Pressurization (Portable Extinguishers)
77Securing Storage Areas Forms Storage RoomsIncreased Threat of FireCombustiblesAccess ControlsMedia Storage RoomsMedia SensitivitySegregationAccess ControlsEnvironmental Controls
78Media Protection Storage Media Libraries/Special Rooms Cabinets Vaults LocationOperationalOff-SiteTransportation
79Protecting Wiring Optical Fiber Copper Wire Certifying the Wiring and CablingControlling Access to Closets and Riser Rooms
80Other Considerations Dealing with Existing Facilities Planning Upgrade/RenovationIncremental New ConstructionProtecting the ProtectionImplement Physical and Environmental Controls for Security SystemsProtect against both Intentional and Inadvertent Threats