83-10-15 Physical Previous screen Tom Peltier Payoff All computer or programs begin with protecting the physical environment. With the advent of workstations, laptops, and telecommuting, providing adequate physical security has become a major challenge. This article examines current techniques for securing the entire enterprise most cost effectively, including the latest developments in biometrics.

Introduction Before any controls can be implemented into the workplace, it is necessary to assess the current level of security. This can be accomplished in a number of ways. The easiest one is a “walk-about.” After hours, walk through the facility and check for five key controls: á Office doors are locked. á Desks and cabinets are locked. á Workstations are secured. á Diskettes are secured. á Company information is secured. Checking for these five key control elements will give you a basic understanding of the level of controls already in place and a benchmark for measuring improvements once a security control system is implemented. Typically, this review will nearly show a 90% control deficiency rate. A second review is recommended 6 to 9 months after the new security controls are in place. This article examines two key elements of basic : physical security and biometrics. Physical security protects your organization's physical computer facilities. It includes access to the building, to the computer room(s), to the computers (mainframe, mini, and micros), to the magnetic media, and to other media. Biometrics devices record physical traits (i.e., fingerprint, palm-print, facial features, etc.) or behavioral traits (signature, typing habits, etc.).

A Brief History In the beginning of the computer age, it was easy to protect the systems; they were locked away in a lab and only a select few “wizards” were granted access. Today, computers are cheaper, smaller, and more accessible to almost everyone. During the mid-twentieth century, the worldwide market for mainframe computer systems exploded. As the third-generation systems became available in the 1960s, companies began to understand their dependence on these systems. By the midÐ to late- 1970s, the security industry began to catch up, with Halon fire suppression systems, card access, and RACF and ACF2. In the final quarter of the century, mainframe-centered computing was at its zenith. By 1983, the affordable portable computer began to change the working landscape for information security professionals. An exodus from the mainframe to the desktop began. The controls that had been so hard won in the previous two decades were now considered the cause of much bureaucracy. Physical security is now needed in desktops. For years, Previous screen conventional thinking was that a computer is a computer is a computer is a computer. Controls are even more important in the desktop or workstation environment than in the mainframe environment. The computing environment is now moving from the desktop to the user. With the acceptance of telecommuting, the next challenge will be to apply physical security solutions to the user-centered computing environment. With computers on every desk connected via networks to other local and remote systems, physical security needs must be reviewed and upgraded wherever necessary. Advances in computer and communications security are not enough; physical security remains a vitally important component of an overall information security plan.

Where to Focus Attention Before implementing any form of physical security, it may be helpful to conduct a limited business impact analysis (BIA) to focus on existing threats to the computer systems and determine where resources can best be spent. It is very important to consider all potential threats, even unlikely ones. Ignore those with a zero likelihood, such as a tsunami in Phoenix or a sandstorm in Maui. A very simple BIA could be diagramed as shown in Exhibit 1.

A Business Impact Analysis Example

An unlimited number of threats can be of concern to your organization. Any number of high-likelihood threats can be identified. First consider those threats that might actually affect your organization (e.g., fire, flood, or fraud). Three elements are generally associated with each threat: á The agent. The destructive agent can be a human, a machine, or nature. á The motive. The only agent that can threaten accidentally and intentionally is human. á The results. For the information systems community, this would be a loss of access or unauthorized access, modification, or disclosure or destruction of data or information. The focus of physical security has often been on human-made disasters, such as sabotage, hacking, and human error. Don't forget that the same kinds of threats can also occur from natural disasters.

Natural Disasters and Controls

Fire A conflagration affects information systems through heat, smoke, or suppression agent (e.g., fire extinguishers and water) damage. This threat category can be minor, major, and catastrophic. Controls. Previous screen Install smoke detectors near equipment. Keep fire extinguishers near equipment and train employees in their proper use. Conduct regular fire evacuation exercises.

Environmental Failure This type of disaster includes any interruption in the supply of controlled environmental support provided to the operations center. Environmental controls include clean air, air conditioning, humidity, and water. Controls. Since humans and computers don't coexist well, try to keep them separate. Many companies are establishing command centers for employees and a “lights-out” environment for the machines. Keep all rooms containing computers at reasonable temperatures (60-75 degrees Fahrenheit or 10-25 Celsius). Keep humidity levels at 20% to 70% and monitor environmental settings.

Earthquake A violent ground motion results from stresses and movements of the earth's surface. Controls. Keep computer systems away from glass and elevated surfaces. In high-risk areas, secure the computers with anti-vibration devices.

Liquid Leakage A liquid inundation includes burst or leaking pipes and accidental discharge of sprinklers. Controls. Keep liquid-proof covers near the equipment and install water detectors on the structural floor near the computer systems.

Lightning An electrical charge of air can cause either direct lightning strikes to the facility or surges due to strikes to electrical power transmission lines, transformers, and substations. Controls. Install surge suppressers, store backups in grounded storage media, install and test Uninterruptible Power Supply (UPS) and diesel generators.

Electrical Interruption A disruption in the electrical power supply, usually lasting longer than one-half hour, can have serious business impact. Controls. Previous screen Install and test UPS, install line filters to control voltage spikes, and install anti- static carpeting.

The Human Factor Recent FBI statistics indicate that 72% of all thefts, fraud, sabotage and accidents are caused by companys' own employees. Another 15% to 20% comes from contractors and consultants who are given access to buildings, systems, and information. Only about 5% to 8% is done by external people, yet the press and management focus mostly on them. The typical computer criminal is a non-technical authorized user of the system who has been around long enough to locate the control deficiencies. When implementing control devices, make certain that the controls meet the organization's needs. Include a review of internal access, and be certain that employees meet the standards of due care imposed on external sources. “Intruders” can include anybody who is not authorized to enter a building, system, or data. The first defense against instruders is to keep them out of the building or computer room. However, because of cost-cutting measures in the past two decades, very few computer facilities are guarded anymore. With computers everywhere, determining where to install locks is a significant problem. To gain access to any business environment, everybody should have to pass an authentication and/or authorization test. The three ways of authenticating users involve something: á That the user knows (a password). á That the user has (a badge, key, card, or token). á Of their physiognomy (fingerprint, retinal image, voice).

Locks In addition to securing the campus, it may be necessary to secure the computers, networks, disk drives, and electronic media. One method of securing a workstation is with an anchor pad, a metal pad with locking rods secured to the surface of the workstation. The mechanism is installed to the shell of the computer. These are available from many vendors. Many organizations use cables and locks. Security cables are multi-strand, aircraft-type steel cables affixed to the workstation with a permanently attached plate that anchors the security cable to the desk or other fixture. Disk locks are another way to secure the workstation. These small devices are quickly inserted into the diskette slot and lock out any other diskette from the unit. They can prevent unauthorized booting from diskettes and infection from viruses. Cryptographic locks also prevent unauthorized access by rendering information unreadable to unauthorized personnel. Encryption software does not impact day-to-day operations while ensuring the confidentiality of sensitive business information. Crypographic locks are cost-effective and easily available.

Tokens As human security forces shrink, there is more need to ensure that only authorized personnel can get into the computer room. A token is an object the user carries to authenticate his or her identity. These devices can be token cards, card readers, or biometric devices. They have the same purpose: to validate the user to the system. The most prevalent Previous screen form is the card, an electric device that normally contains encoded information about the individual who is authorized to carry it. Tokens are typically used with another type of authentication. Many cipher locks have been replaced with token card access systems.

Challenge-Response Tokens Challenge-response tokens supply passcodes that are generated using a challenge from the process requesting authentication (such as the Security Dynamics'SecurID). Users enter their assigned user IDs and passwords plus a password supplied by the token card. This process requires that the user supply something they possess (the token) and something that they know (the challenge/response process). This process makes passcode sniffing and brute force attacks futile. Challenge-response is an asynchronous process. An alternative to challenge-response is the synchronous token that generates the password without the input of a challenge from the system. It is synchronized with the authenticating computer when the user and token combination is registered on the system.

Dumb Cards For many years, photo identification badges have sufficed as a credential for most people. With drivers' licenses, passports, and employee ID badges, the picture—along with the individual's statistics—supplies enough information for the authentication process to be completed. Most people flash the badge to the or give a license to a bank teller. Someone visually matches the ID holder's face to the information on the card.

Smart Cards The automatic teller machine (ATM) card is an improvement on the “dumb card”; these “smart” cards require the user to enter a personal ID number (PIN) along with the card to gain access. The ATM compares the information encoded on the magnetic stripe with the information entered at the ATM machine. The smart card contains microchips that consist of a processor, memory used to store programs and data, and some kind of user interface. Sensitive information is kept in a secret read-only area in its memory, which is encoded during manufacturing and is inaccessible to the card's owner. Typically, these cards use some form of cryptography that protects the information. Not all smart cards work with card readers. A user inserts the card into the reader, the system displays a message, and if there is a match, then the user is granted access.

Types of Access Cards Access cards employ different types of technology to ensure authenticity: á Photo ID cards contain a photograph of the user's face and are checked visually. á Optical-coded cards contain tiny, photographically etched or laser-burned dots representing binary zeros and ones that contain the individual's encoded ID number. The card's protective lamination cannot be removed without destroying the data and invalidating the card. á Electric circuit cards contain a printed circuit pattern. When inserted into a reader, the card closes certain electrical circuits. á Magnetic cards, the most common form of card, contain magnetic Previous screen particles that contain, in encoded form, the user's permanent ID number. Data can be encoded on the card, but the tape itself cannot be altered or copied. á Metallic stripe cards contain rows of copper strips. The presence or absence of strips determines the code.

Biometric Devices Every person has unique physiological, behavioral, and morphological characteristics that can be examined and quantified. Biometrics is the use of these characteristics to provide positive personal identification. Fingerprints and signatures have been used for years to prove an individual's identity, but individuals can be identified in many other ways. Computerized biometrics identification systems examine a particular trait and use that information to decide whether the user may enter a building, unlock a computer, or access system information. Biometric devices use some type of data input device, such as a video camera, retinal scanner, or microphone, to collect information that is unique to the individual. A digitized representation of a user's biometric characteristic(fingerprint, voice, etc.) is used in the authentication process. This type of authentication is virtually spoof-proof and is never misplaced. The data is relatively static but not necessarily secret. The advantage of this authentication process is that it provides the correct data to the input devices. Fingerprint scan The individual places a finger in or on a reader that scans the finger, digitizes the fingerprint, and compares it against a stored fingerprint image in the file. This method can be used to verify the identity of individuals or compare information against a database covering many individuals for recognition. Performance: á false rejection rate=9.4% á false acceptance rate=0 á average processing time=7 seconds Retinal scan This device requires that the user look into an eyepiece that laser-scans the pattern of the blood vessels. The patterns are compared to provide positive identification. It costs about $2,650. Performance: á false rejection rate=1.5% á false acceptance rate=1.5% á average processing time=7 seconds Palm scan The system scans 10,000 points of information from a 2-inch square area of the human palm. With the information, the system identifies the person as an impostor or authentic. The typical price is $2,500. Performance: á false rejection rate=0 á false acceptance rate=.00025% Previous screen á average processing time=2-3 seconds Hand geometry This device uses three-dimensional hand geometry measurements to provide identification. The typical price is $2,150. Performance: á false rejection rate=.1% á false acceptance rate=.1% á average processing time=2-3 seconds Facial recognition Using a camera mounted at the authentication place (gate, monitor, etc.)the device compares the image of the person seeking entry with the stored image of the authorized user indexed to the system. The typical price is $2,500.Performance: á average processing time=2 seconds Voice verification When a person speaks a specified phrase into a microphone, this device analyzes the voice pattern and compares it against a stored database. The price can run as high as $12,000 for 3,000 users. Performance: á false rejection rate=8.2% á false acceptance rate=.4% á average processing time=2-3 seconds (response time is calculated after the password or phrase is actually spoken into the voice verification system).

Testing Security systems, passwords, locks, token cards, biometrics, and other authenification devices are expected to function accurately from the moment they are installed, but it is the management and testing that makes them work. There is little point in installing an elaborate access control system for the computer room if the employees routinely use the emergency fire exits. Employees must be trained in the proper use of physical security systems. Access logs must be monitored and reconciled in a timely manner. Training and awareness demands time, money, and personnel, but it is essential for organizations to meet the challenges brought about by increased competition and reduced resources. There must be a partnership between the technology and the employees. Figure on spending at least as much time and resources on training employees on how to use the technology as on procuring and installing it. Employees must understand why the control mechanisms were selected and what their role is in the security process.

Conclusion Companies where employees hold open the door for others to walk through may need to review their level of security awareness. The first step in implementing a physical security program is determining the level of need and the current level of awareness. To implement a cost-effective security program, 1) analyze the problems, 2) design or procure controls, Previous screen 3) implement those controls, 4) test and exercise those controls, and 5) monitor the controls. Implement only controls needed to meet the current needs, but make sure that additional control can be added later if required. Physical security is an organization's first line of defense against theft, sabotage, and natural disasters. Bibliography Russell, D. and Gangemi, G.T. Computer Security Basics, Sebastopol, CA: O' Reilly & Associates, Inc., 1991. Jackson, Hruska, Parker, Computer Security Reference Book, Boca Raton, FL: CRC Press, Inc., 1992. Ashborn, J., “Baubles, Bangles and Biometrics,” Association for Biometrics (1995). Davies, S. G., “Touching Big Brother: How biometric technology will fuse flesh and machine,” Information Technology & People, Vol 7, No. 4 (1994). Lawrence, S., et al., “Face Recognition: A hybrid neural network approach,” Technical Report UMIACS-TR-96 and CS-TR-3608, Institute for Advanced Computer Studies University of Maryland(1996). Author Biographies Tom Peltier Tom Peltier is the Corporate Information Protection Coordinator for an electric utiltiy in the Midwest.