DOCSLIB.ORG

The State of Physical Access Control

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

THE STATE OF PHYSICAL ACCESS CONTROL: IMPACT ON THE ENTERPRISE he global market for card-based electronic This read-only technology is very economical but has access control (EAC) is projected to reach widely-known security vulnerabilities. This technol- $10.1 billion by 2020 according to Glob- ogy will keep incidental visitors out but will not with- T al Industry Analysts. Recent research by stand anyone with an intent to breach the system. ASIS International, however, finds the technology “Cards can easily be cloned, even without the holder’s deployed in the field to be relatively aged and inse- knowledge, and the cloned card can then be used to cure. Responses provided by nearly 2,000 members open any door available to the original holder,” says of ASIS who serve as security directors or consultants Daniel Bailin, Vice President, Strategic Business De- indicate the most common access control credential velopment and Innovation with HID Global. There is technology deployed today is 125 kHz low frequency also no direct means of determining if a system has proximity, which is relied on by 44 percent of re- been compromised, essentially worsening matters by spondents, while 33 percent use magnetic stripe, 21 providing a false sense of security. “If someone clones percent barcode, and 10 percent MIFARE Classic. a card and comes into the building, you won’t know Just 45 percent of respondents indicated use of more because it looks like a legitimate entry,” says Bailin. secure technologies such as FIPS-201, iCLASS, MI- One-third of respondents indicated the use of FARE DESFire, Seos, and Sony FeliCa. magnetic stripe cards—the same technology that is The most common technology in use—125 kHz currently being phased out of credit cards in favor of proximity—was introduced more than 25 years ago. chips due to its lack of security. Magnetic stripe cards These contactless cards offer extraordinary reliability have information stored on a thin strip of magnetic and longevity. They have no batteries to fail, relying tape that is subject to wear with every use. Mag- instead on radio frequency (RF) signals sent out from stripe remains a popular technology in the university the reader. The cards themselves simply consist of an setting where its early capacity to serve as a common antenna, a capacitor, and a chip that stores the card’s denominator between systems earned early market ID number. share in that setting. It can serve as a single creden- Common Physical Access Control System Features Time and attendance 366 683 65 210 Parking/Gate control 277 854 60 172 Biometrics (fingerprint, facial recognition, other) 407 487 165 266 Closed loop payment (vending, cafeteria, 367 297 81 509 other payments, public transportation) License plate registration 445 325 174 343 Security guard tour applications 427 601 120 211 Visitor management 250 934 178 85 Logical Access (secure computer/network login, 192 918 113 167 access to cloud and web resource) Identification (photo ID badge) 167 1175 84 44 0 200 400 600 800 1000 1200 1400 1600 System Includes, Not Currently Used Actively Use Planned Upgrade Unsure/Unknown 2 THE STATE OF PHYSICAL ACCESS CONTROL: IMPACT ON THE ENTERPRISE tial that grants access to the dorm, enables bookstore more flexibility with the capacity to support biomet- transactions, and stores meal plan data. Magstripe rics, time and attendance, and general office func- can also frequently be found in hospitals and enter- tions such as access to company printers. Beginning prise environments. in 2013, iCLASS was upgraded to iCLASS SE, which added additional layers of encryption and digital “Unfortunately it’s horribly insecure,” says Bailin. signatures to further improve the security. “Generally speaking there is no security associat- ed with magstripe because the data is all stored in Barcode access cards, still used by one in five respon- plain text without encryption. In fact, it is the lack of dents, is the least secure credential on the market. encryption and security that makes it so easy to use The technology is still common on library cards across all of those systems.” Bailin does grant that and grocery store loyalty cards but has never been magstripe is somewhat more secure than proximity suitable for securing facilities. Because the security cards because cloning a magstripe card would require element is clearly visible, the system can easily be someone to take physical possession of the card. defeated by simply copying with a standard copy Proximity cards can be cloned by simply getting close machine or taking a picture of an existing card. enough to a person to ask directions or hand out a The 13.56 MHz MIFARE Classic—used by 10 percent flier. of respondents—essentially introduced encryption to Approximately one quarter of respondents rely on the access control market. MIFARE Classic also offers iCLASS, a contactless smart card technology that the capability to load additional applications to the was introduced in 2003. With both encryption and card. In 2008 MIFARE Classic was attacked and bro- mutual authentication, iCLASS cards are more secure ken by researchers and the results made public. It is than 125 kHz proximity cards. They also offer far still often used for transit where the values are small, Physical Access Control Technology in Use 313 Mobile Access FIPS-201 Standard 255 Credential (PIV, CAC, TWIC) Seos 70 MIFARE Desfire EV1/EV2 149 MIFARE Classic 178 iCLASS 440 14 Sony FeliCa 125 kHz Low-Frequency Prox 761 Magnetic Stripe 572 Barcode 367 THE STATE OF PHYSICAL ACCESS CONTROL: IMPACT ON THE ENTERPRISE 3 Physical Access Control Solution Meets Requirements 143 238 643 329 56 Meets or exceeds current and planned requirements Exceeds current requirements Meets all current requirements Satisfies essential requirements Does not meet current requirements but can easily be cloned when used for access control. and features low power requirements. MIFARE DESFire—used by 9 percent of respon- Seos is a credential technology that uses best-in-class dents—offers both improved flexibility and improved cryptography to provide access control credentials. security using more modern encryption technology. These can be implemented as traditional RFID cards, as well as in both NFC and Bluetooth mobile phone Many organizations choose cards that offer dual tech- applications. The technology is device-agnostic nology, combining technologies to provide a tran- (card and mobile). When implemented as a mobile sitional stage between legacy systems and modern credential, it is supported on both iOS and Android access control technology. Proximity/Smart Cards are platforms. It can be found in new installations in a typical hybrid solution in which sensitive areas of enterprise and university environments. Seos fulfills buildings or entire facilities may be upgraded imme- many of the promises of universal credentialing to diately while areas of lower concern such as cafeterias include physical and logical access, payment, and and restrooms may wait for years. government identification. “One of the design objec- tives with Seos was to be independent of the token Near Field Communications (NFC) is a technology (chip or phone) technology and independent of the still relatively new to the security industry and it is contactless pipe used,” says HID’s Bailin. getting tremendous attention due to its use on mobile phones. To be clear, the NFC specs do not include any security models and rely on the same RFID low MOVEMENT TOWARDS MOBILE level protocols as the legacy technologies such as MI- Just as credential technologies have evolved over the FARE Classic. Bluetooth, still nascent in the security years, so have the ways users interact with them. One space, is another technology commonly found on of the bigger developments over the past few years mobile phones and many wearable devices. Bluetooth has been the increased adoption of mobile creden- is ubiquitous and open standard, flexible, low cost, tials, which allows users to access facilities via their 4 THE STATE OF PHYSICAL ACCESS CONTROL: IMPACT ON THE ENTERPRISE mobile device. Approximately 20 percent of survey and build plans to incorporate mobile into their respondents indicate they have upgraded to mo- access control ecosystem. bile-enabled readers or are in the process of doing so. Another 34 percent will upgrade to mobile-en- EXPANDING ACCESS CONTROL WHILE abled readers within the next three years. Overall, 77 CONVERGING BUDGETS percent of those surveyed said that mobile creden- tials will either improve or somewhat improve their While the industry remains slow to upgrade systems overall access control system. that have proven reliable and largely maintenance free, one key driver for updating has been converg- The move to mobile seems natural for many organi- ing multiple building infrastructure systems so that zations, because it can heighten user convenience, the effectiveness of each is improved. From a strict streamline credential management, and improve security standpoint, says Bailin, “Would your system security. Employees rarely, if ever, leave their mobile allow a person to log on to their desktop computer if device at home, making it a natural supplement to they have not used their access card to get through smart cards. For security professionals, provisioning the front door?” Respondents indicate cards are and de-provisioning credentials can be immediately commonly used for more than just physical access. performed over the air, which increases efficiencies Access cards are used as photo IDs by 82 percent and reduces vulnerabilities. of respondents, visitor management by 66 percent, By 2020, IHS predicts that 20 percent of all creden- logical access by 67 percent, parking/gate control by tials will be mobile. For this to become reality, orga- 63 percent, and time and attendance by 52 percent. nizations will have to assess their existing technology Substantial numbers also report using cards for guard THE STATE OF PHYSICAL ACCESS CONTROL: IMPACT ON THE ENTERPRISE 5 tour applications, and closed loop payment systems.
Recommended publications
  • Access Control

    Access Control

    Security Engineering: A Guide to Building Dependable Distributed Systems CHAPTER 4 Access Control Going all the way back to early time-sharing systems, we systems people regarded the users, and any code they wrote, as the mortal enemies of us and each other. We were like the police force in a violent slum. —ROGER NEEDHAM Microsoft could have incorporated effective security measures as standard, but good sense prevailed. Security systems have a nasty habit of backfiring, and there is no doubt they would cause enormous problems. —RICK MAYBURY 4.1 Introduction Access control is the traditional center of gravity of computer security. It is where se- curity engineering meets computer science. Its function is to control which principals (persons, processes, machines, . .) have access to which resources in the sys- tem—which files they can read, which programs they can execute, how they share data with other principals, and so on. NOTE This chapter necessarily assumes more computer science background than previous chapters, but I try to keep it to a minimum. 51 Chapter 4: Access Controls Figure 4.1 Access controls at different levels in a system. Access control works at a number of levels, as shown in Figure 4.1, and described in the following: 1. The access control mechanisms, which the user sees at the application level, may express a very rich and complex security policy. A modern online busi- ness could assign staff to one of dozens of different roles, each of which could initiate some subset of several hundred possible transactions in the system. Some of these (such as credit card transactions with customers) might require online authorization from a third party while others (such as refunds) might require dual control.
  • Using Certificate-Based Authentication for Access Control

    Using Certificate-Based Authentication for Access Control

    GLOBALSIGN WHITE PAPER Using Certificate‐based Authentication for Access Control GLOBALSIGN WHITE PAPER John Harris for GlobalSign GLOBALSIGN WHITE PAPER CONTENTS Introduction ...................................................................................................................................................................2 Finding The Right Path ...................................................................................................................................................2 Certicate‐based Network Authentication ......................................................................................................................3 What Is It? ................................................................................................................................................................. 3 How Does It All Work? .............................................................................................................................................. 4 What Can Users Expect? ........................................................................................................................................... 4 How Does It Stack Up To Other Authentication Methods? ....................................................................................... 4 Other Authentication Methods ................................................................................................................................. 5 Comparing Authentication Methods ........................................................................................................................
  • Access Control

    Access Control

    Access Control CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Access Control • Describe the permissions available to computing processes – Originally, all permissions were available • Clearly, some controls are necessary – Prevent bugs in one process from breaking another • But, what should determine access? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 2 Permissions for Processes • What permissions should be granted to... – An editor process? – An editor process that you run? – An editor process that someone else runs? – An editor process that contains malware? – An editor process used to edit a password file? • Q: How do we determine/describe the permissions available to processes? • Q: How are they enforced? • Q: How might they change over time? CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 3 Protection System • Any “system” that provides resources to multiple subjects needs to control access among them – Operating system – Servers • Consists of: – Protection state • Description of permission assignments (i.e., policy) • Determines how security goals are met – Enforcement mechanism • Enforce protection state on “system” CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Page 4 Protection State • Describes the conditions under which the system is secure
  • Security in Ordinary Operating Systems

    Security in Ordinary Operating Systems

    39 C H A P T E R 4 Security in Ordinary Operating Systems In considering the requirements of a secure operating system,it is worth considering how far ordinary operating systems are from achieving these requirements. In this chapter, we examine the UNIX and Windows operating systems and show why they are fundamentally not secure operating systems. We first examine the history these systems, briefly describe their protection systems, then we show, using the requirements of a secure operating system defined in Chapter 2, why ordinary operating systems are inherently insecure. Finally, we examine common vulnerabilities in these systems to show the need for secure operating systems and the types of threats that they will have to overcome. 4.1 SYSTEM HISTORIES 4.1.1 UNIX HISTORY UNIX is a multiuser operating system developed by Dennis Ritchie and Ken Thompson at AT&T Bell Labs [266]. UNIX started as a small project to build an operating system to play a game on an available PDP-7 computer. However, UNIX grew over the next 10 to 15 years into a system with considerable mindshare, such that a variety of commercial UNIX efforts were launched. The lack of coherence in these efforts may have limited the market penetration of UNIX, but many vendors, even Microsoft, had their own versions. UNIX remains a significant operating system today, embodied in many systems, such as Linux, Sun Solaris, IBM AIX, the various BSD systems, etc. Recall from Chapter 3 that Bell Labs was a member of the Multics consortium. However, Bell Labs dropped out of the Multics project in 1969, primarily due to delays in the project.
  • Designing Physical Security Monitoring for Water Quality Surveillance and Response Systems

    Designing Physical Security Monitoring for Water Quality Surveillance and Response Systems

    United States Environmental Protection Agency Designing Physical Security Monitoring For Water Quality Surveillance and Response Systems Office of Water (AWBERC, MS 140) EPA 817-B-17-001 September 2017 Disclaimer The Water Security Division of the Office of Ground Water and Drinking Water has reviewed and approved this document for publication. This document does not impose legally binding requirements on any party. The information in this document is intended solely to recommend or suggest and does not imply any requirements. Neither the U.S. Government nor any of its employees, contractors or their employees make any warranty, expressed or implied, or assumes any legal liability or responsibility for any third party’s use of any information, product or process discussed in this document, or represents that its use by such party would not infringe on privately owned rights. Mention of trade names or commercial products does not constitute endorsement or recommendation for use. Version History: The 2019 version is the second release of the document, originally published in September 2017. This release includes updated component names (Enhanced Security Monitoring was changed to Physical Security Monitoring and Consequence Management was changed to Water Contamination Response), an updated version of Figure 1.1 that reflects the component name changes and includes the Advanced Metering Infrastructure component, an updated Glossary, updated target capabilities, and updated links to external resources. “Enhanced” was replaced with “Physical” in this document to avoid any implication of a baseline standard, and better describe the type of security. Questions concerning this document should be addressed to [email protected] or the following contacts: Nelson Mix U.S.
  • General Access Control Guidance for Cloud Systems

    General Access Control Guidance for Cloud Systems

    NIST Special Publication 800-210 General Access Control Guidance for Cloud Systems Vincent C. Hu Michaela Iorga Wei Bao Ang Li Qinghua Li Antonios Gouglidis This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-210 C O M P U T E R S E C U R I T Y NIST Special Publication 800-210 General Access Control Guidance for Cloud Systems Vincent C. Hu Michaela Iorga Computer Security Division Information Technology Laboratory Wei Bao Ang Li Qinghua Li Department of Computer Science and Computer Engineering University of Arkansas Fayetteville, AR Antonios Gouglidis School of Computing and Communications Lancaster University Lancaster, United Kingdom This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-210 July 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
  • FACILITY ACCESS CONTROL an Interagency Security Committee Best Practice

    FACILITY ACCESS CONTROL an Interagency Security Committee Best Practice

    FACILITY ACCESS CONTROL An Interagency Security Committee Best Practice 2020 Edition U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency Interagency Security Committee Message from the Chief One of the priorities of the Department of Homeland Security (DHS) is the protection of federal employees and private citizens who work within and visit federally owned or leased facilities. The Interagency Security Committee (ISC), chaired by DHS, consists of 64 executive-level departments and agencies and has a mission to develop security policies, standards, and recommendations for nonmilitary federal facilities in the United States. As Chief of the ISC, I am pleased to introduce the ISC document titled Facility Access Control: An Interagency Security Committee Best Practice. At a recent ISC Strategic Summit, members identified facility access control as their number-one subject area. Based on their request, the ISC formed a working group on facility access control, resulting in the development of this document. This ISC document provides guidance on addressing facility access control throughout the full access control process, from employee and visitor entry, through security screening, to the first point of authentication into nonpublic space. This guide represents exemplary collaboration within the ISC Facility Access Control Working Group and across the entire ISC. Daryle Hernandez Chief, Interagency Security Committee Facility Access Control: 1 An ISC Best Practice Table of Contents Message from the Chief ...................................................................................................................................
  • Operating Systems & Virtualisation Security Knowledge Area

    Operating Systems & Virtualisation Security Knowledge Area

    Operating Systems & Virtualisation Security Knowledge Area Issue 1.0 Herbert Bos Vrije Universiteit Amsterdam EDITOR Andrew Martin Oxford University REVIEWERS Chris Dalton Hewlett Packard David Lie University of Toronto Gernot Heiser University of New South Wales Mathias Payer École Polytechnique Fédérale de Lausanne The Cyber Security Body Of Knowledge www.cybok.org COPYRIGHT © Crown Copyright, The National Cyber Security Centre 2019. This information is licensed under the Open Government Licence v3.0. To view this licence, visit: http://www.nationalarchives.gov.uk/doc/open-government-licence/ When you use this information under the Open Government Licence, you should include the following attribution: CyBOK © Crown Copyright, The National Cyber Security Centre 2018, li- censed under the Open Government Licence: http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at con- [email protected] to let the project know how they are using CyBOK. Issue 1.0 is a stable public release of the Operating Systems & Virtualisation Security Knowl- edge Area. However, it should be noted that a fully-collated CyBOK document which includes all of the Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas KA Operating Systems & Virtualisation Security j October 2019 Page 1 The Cyber Security Body Of Knowledge www.cybok.org INTRODUCTION In this Knowledge Area, we introduce the principles, primitives and practices for ensuring se- curity at the operating system and hypervisor levels.
  • Standards for Building Materials, Equipment and Systems Used in Detention and Correctional Facilities

    Standards for Building Materials, Equipment and Systems Used in Detention and Correctional Facilities

    NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY Research Information Center Gaithersburg, MD 20890 PUBLICATIONS NBSIR 87-3687 Standards for Building Materials, Equipment and Systems Used in Detention and Correctional Facilities Robert D. Dikkers Belinda C. Reeder U.S. DEPARTMENT OF COMMERCE National Bureau of Standards National Engineering Laboratory Center for Building Technology Building Environment Division Gaithersburg, MD 20899 November 1987 Prepared for: -QC ment of Justice 100 ititute of Corrections i, DC 20534 . U56 87-3687 1987 C . 2 Research Information Center National Bureau of Standards Gaithersburg, Maryland NBSIR 87-3687 20899 STANDARDS FOR BUILDING MATERIALS, EQUIPMENT AND SYSTEMS USED IN u - DETENTION AND CORRECTIONAL FACILITIES Robert D. Dikkers Belinda C. Reeder U.S. DEPARTMENT OF COMMERCE National Bureau of Standards National Engineering Laboratory Center for Building Technology Building Environment Division Gaithersburg, MD 20899 November 1987 Prepared for: U.S. Department of Justice National Institute of Corrections Washington, DC 20534 U.S. DEPARTMENT OF COMMERCE, C. William Verity, Secretary NATIONAL BUREAU OF STANDARDS, Ernest Ambler, Director TABLE OF CONTENTS Page Preface . vi Acknowledgements vii Executive Summary ix I . INTRODUCTION 1 A. Background , 1 B. Objectives and Scope of NBS Study 3 II. FACILITY DESIGN AND CONSTRUCTION 6 A. Facility Development Process 6 1 . Needs Assessment ........................................ 6 2 . Master Plan 6 3 . Mission Statement . 6 4. Architectural Program 7 5. Schematic Design and Design Development 7 6 . Construction 9 B. Security Levels 10 C . ACA S tandar ds 13 . III MATERIALS , EQUIPMENT AND SYSTEMS .... 14 A. Introduction 14 B. Performance Problems 15 C. Available Standards/Guide Specifications 20 iii TABLE OF CONTENTS (continued) 5 Page D« Perimeter Systems 21 1 .
  • Physical Access Control Systems (PACS) Customer Ordering Guide

    Physical Access Control Systems (PACS) Customer Ordering Guide

    Physical Access Control Systems (PACS) Customer Ordering Guide Revised January 2017 1 Physical Access Control Systems (PACS) Customer Ordering Guide Table of Contents Purpose ...................................................................................................................3 Background .............................................................................................................3 Recent Policy Announcements ...............................................................................4 What is PACS? .......................................................................................................5 As an end-user agency, where do I start and what steps are involved? ................. 7 Where do I purchase PACS Solutions from GSA? ..............................................10 How do I purchase a PACS Solution using GSA eBuy? .....................................11 Frequently Asked Questions (FAQs) ...................................................................12 GSA Points of Contact for PACS .........................................................................15 Reference Documents ...........................................................................................16 Sample Statement of Work (SOW) ......................................................................18 2 Physical Access Control Systems (PACS) Customer Ordering Guide Purpose The purpose of this document is to create a comprehensive ordering guide that assists ordering agencies, particularly contracting officers, to
  • Standards and Procedures Installation of Access Control Equipment At

    Standards and Procedures Installation of Access Control Equipment At

    Standards and Procedures Installation of Access Control Equipment At University of North Carolina at Wilmington UNCW REV 120617 Provided by UNCW Physical Security and Access INDEX OVERVIEW ................................................................................................................................... 3 OUTLINE ....................................................................................................................................... 4 UNCW Door Hardware Standards .................................................................................................. 5 LENEL Network Communications................................................................................................. 5 Door Control Cabling ..................................................................................................................... 6 Responsibilities ............................................................................................................................... 7 UNCW ........................................................................................................................................ 7 Contractors .................................................................................................................................. 7 Standards for Termination of wires and cables in Lenel Panel, Lock Power Supplies, Readers, Hinges and Door Hardware ............................................................................................................ 8 UNCW Wireless Access Control
  • Integrated Access Control

    Integrated Access Control

    INTEGRATED ACCESS CONTROL Protect and manage your facility with confidence ACCESS CONTROL INCLUDES ALARM MANAGEMENT In the past, a sturdy lock was the most effective method Adding to the benefits of an access control system is the available to control access to your facility. Today you have ability to review reports detailing the arrival and departure the capability to truly manage both exterior and interior of each individual and which protected areas they entered. access. With the appropriate security devices and alarm An access control system not only provides added security, management software, which is integrated into a single but it also enhances your facility management capabilities. security solution, you can take control of who goes where and when throughout your facility. As a network application, real-time changes can be made to the access rights of any individual from anywhere with an Internet connection. Rather than worry about retrieving keys from discharged employees or re-keying locks, sim- ply delete their access privileges. You can also remotely lock and unlock any protected door. Access Control Hardware The main component in any access control system is the Request-to-Exit Devices: Motion sensors, buttons, or crash control panel. It communicates with and manages the var- bars used to bypass a door or release an electronic lock. ious other devices installed throughout the facility. DMP High Security Readers: Based on the MIFARE platform, systems include an “integrated” panel that also provides the high security reader is a globally accepted, secure, and intrusion and fire alarm capabilities, all in a single unit.