Access Control and Authentication

1
 Physical Security
• There is no object than can be fully protected (i.e. cannot be
stolen, damaged, destroyed, or observed by unauthorized
individuals).
• A balanced security system provides protection against a defined
set of threats by:
• informing the user of attempted intrusions
• providing resistance to the would-be intruder’s attack paths (USGS, 2005).

• The purpose of physical security is to delay an intruder’s advance

toward a target, long enough to detect and respond with human
intervention.
• Achieving these objectives requires policies, standards, guidelines,
and controls addressing risk assessment, prevention, detection,
delay, and response.
2
 Risk Assessment
• The first step in a physical security program is the risk
assessment based on a physical security survey.
• The physical security risk assessment identifies threats,
couple them with vulnerabilities, and determines the
probability and impact of successful attacks.
• Using best practice recommendations, the organization
implements appropriate controls intended to deter, delay,
detect, and detain human intruders.

3
 Physical Security Controls

• Deterrence and Delay (prevention)

• If the risk of detection or detainment is too high (relative to
level of motivation), the intruder selects another path.
• Selecting low-risk locations.
• Adding barriers (e.g. fences).
• Detection and Detainment

4
 Barriers
• To help prevent an attacker from gaining access to important
assets, these assets should be placed inside multiple perimeters.
• Access to the server room should be limited to staff with a
legitimate need to work on the servers.
• Layered approach to barrier uses:
• site perimeter (signs, landscaping, fences, walls)
• building walls and doors
• internal walls and doors

5
 Barriers: site perimeter
• Site perimeter is a clearly bounded space surrounding
all the property controlled by the organization.
• It tells anyone approaching the site that he is about to
enter private property.
• The barriers are signs, landscaping, fences, and walls.

6
Fence Design

7
Fence Installation

8
 Top Guard
• A top guard uses strands of barbed wire, spaced six inches apart, to
deter fence climbing.
• Extending outward at 45 degrees, it increases fence height by about
one foot.
• Adding fences and barbed wire can make the site look harsher than
what the management might like.
• It is common to hide fences with hedges or other types of
landscaping (should not block camera or human security views)

9
 Walls
• Walls can strengthen security by restricting the view from
outside the perimeter.
• The wall should be:
• high enough to deter intruders,
• blocks the view of what is happening inside the perimeter,
• supports a top guard if necessary,
• and looks better than a fence.

Bullet Resistant Precast Concrete Fencing for Power Plant Protection 10

 Structure Perimeters
• The external walls of the building should deter and delay the
intrusion
External Wall Penetration Times and Relative Effort to Breach (NFESC, 1993)

11
 Interior Walls
• Interior walls provide additional barriers, assuming the target is not
located in a room sharing an outside wall.
• Once an intruder makes it through an external door or wall, he will
meet additional deterrence and delay as the response team closes
in.
• Data centers should be in the center of a structure with walls
independent from external walls.
• Internal walls surrounding sensitive areas should resist an intruder
trying to circumvent other controls by breaking through.
• Not all organizations require steel reinforced walls and standing
guard around servers and storage.

12
 Interior Walls
Interior Wall Constructions (U.S. Army, 2010)

13
 Barrier Gaps
• Gates and doors are required in fences and walls to give employees
ingress.
• Additional potential points of entry include maintenance panels,
windows, skylights, air circulation vents, etc.
• Barrier gaps present a weakness to intruders if not properly
managed.
• Controlling ingress and egress through perimeter and structural
barriers requires one or more of the following:
• Gates
• Vehicle barriers
• Access controls
• Doors
• Bars
• Locks
• Window design
14
 Gates
• Pedestrian gate access control
• Automated access
• The organization issues an access card (or PIN) for employees.
• Works well for employee access but not for contractor or visitor access.
• Manual discretionary access
• Requires a security guard to open and close the gate, either at the gate or
remotely.
• Manual points of ingress can be done with guards controlling access via
employee ID.
Pedestrian Access Gate

15
 Gates
• Vehicle gates
• Vehicle gates range from simple chain link to crash gates.
• In some cases, a gate is impractical or requires support to provide stronger
resistance.
• Vehicle controls (e.g. retractable bollards) provide this support.

Retractable Bollards Crash Gate

[Link]
16
 Doors
• Each door should be at least as difficult to break through as the surrounding walls.
• External doors
• Entry to a reception or guard desk area.
• All exterior doors not opening into the public entry area should be locked and
closely controlled.
• Piggy-backing occurs when an authorized person unlocks a door (using a key code,
smart card, key, etc.) and another person takes the opportunity to enter without
being authorized.
• One common solution, in addition to policies and employee awareness, is a
mantrap.
• Only one person at a time is allowed to enter the mantrap.
• A guard might watch through a window.
• Sensors are used to check the weight or the number of people in the mantrap.

Olzak, T. (2012). Physical Security: Human Intrusion Defense. CBS Interactive/TechRepublic. 17

 Mantrap

Annunciator Unit Stereo Cameras

Line out to
Central Security

Control Unit

Secure Area Access Control Unit Public Area

18
 Doors
• Maintenance access to mechanical/electrical rooms
requires hatches and other types of barrier gaps.
• All access portals should be secured with locks
suitable to the importance to the access provided.
• The hinges of doors should be inside the protected
area away from public access (to prevent removing
the hinge pins).

19
 Windows and Skylights
• Windows close to the ground (less than 14 feet up the
wall) or near a fire escape are the most vulnerable.
• If windows provide access to restricted areas, consider
one or more of the following:
• Install windows too narrow for human access (96
square inches or smaller)
• Grillwork or bars
• Intrusion detection alarm

20
 Ditches, Culverts, and Manholes
• Site drainage may require ditches and culverts.
• When a fence runs over a ditch, it can leave a large
opening for easy site access.
• Any gap exceeding 96 square inches, configured in a
way that provides access (e.g., 10″ x 10″ as opposed to
2″ x 50″), requires attention (USGS, 2005).
• Manholes should be secured in collaboration with the
utility companies.

Ditch Barrier (Hercules, 2012)

21
 Natural Events
• Snow or sand drifting against a barrier, making the
barrier easy to cross.
• Vegetation, such as bushes and trees, can provide
cover and concealment for intruders.
• Rain softening the ground around barriers, allowing
tunnels or trenches to be dug under barriers.
• Inclement weather such as fog, heavy rain, or snow
limiting the visibility of the barrier.

(U.S. Army, 2010)

22
 Access Control

• Access control means having control of doors and

entry points.
– Locks
– Layered access systems
– Electronic door control systems

23
 Locks
• Locks should add a planned level of delay
• Lock types include:
– Key
– Combination
– Mechanical
– Electronic

[Link] 24
 Key Locks
• The keyed lock (on door handles, padlocks, and deadbolt
locks) is the most common lock in an organization, and the
hardest to manage (i.e. key issuing, return, check).
• The door handle lock can be a weak control. Firmly pushing
a straightened paperclip into the keyhole often does what
the right key would do (Olzak, 2010(b)).
• A better lock for restricted areas is the deadbolt. However,
anyone with the right tools and training can manipulate
the lock pins.

Door handle Padlock Deadbolt lock 25

 Push-button Combination Locks
• Mechanical locks are good when a lock manager has only a
few users.
• Large organizations usually require a centralized
management solution, where managers can make changes
to employee access from a central console.
• Electronic locks can serve as the core of an integrated door
security system.

Pushbutton Pushbutton
Electronic Mechanical
Lock Deadbolt

26
[Link]
 Visitor Control
• Allowing visitors access to facilities is usually necessary for
continued business operation.
• However, controlling where, when, and how they visit is a
critical element of physical security.
– Registration
• Sign-in book.
• Ensuring that a visitor is easily identifiable (“Visitor” badge).
• Other employees must also display their IDs.
– Escort: All visitors to controlled areas should have an escort (e.g. technicians
repairing a server in the data center).
– Restrict use of cameras (including smartphones) in restricted
areas.

27
 Detect and Detain
• In a layered security model, we assume an intruder will eventually
break through one or more of the preventive control layers.
• For this reason, detection and intruder intervention layers
complete the physical security control framework.
• Measures:
• Landscaping and lighting.
• Monitoring, surveillance, and alarms.
• Planned, documented, and practiced human response to
contain and apprehend/detain an intruder.

28
 Lighting
• Lighting is a great deterrent.
Lighting Guidelines (U.S. Army, 2010)
• Well designed lighting eliminates shadows
that provide areas of low visibility for
monitoring activities.
• We measure lighting in one of two ways:
foot-candles or lux.
• A foot-candle is the illumination at a point
on a surface one-foot from, and
perpendicular to, a light source equal to
one candela.
• A lux also uses the candela standard, but it
is measured from a distance of one meter.
• 1 foot-candle ≈ 10.76 lux.

29
 Monitoring, Surveillance, and Alarms
• Guards
– The best monitoring and surveillance controls.
– They can differentiate between real and false threats and provide quick response.
– However, trained and vigilant guards are expensive.
– Small and medium sized businesses usually use third-party remote management of technical controls (e.g.
cameras) with police response.
• Cameras
– Provide real-time monitoring and detection of intrusion or anomalous conditions
– Enable verification of a threat or a false alarm
– Unmonitored cameras
• are best used for incident reconstruction during post-intrusion investigations.
• provide a level of deterrence
• Cameras can be wired or wireless.
– When using a cable, make sure an intruder cannot access it.
– For wireless, ensure encryption and rogue device detection.
• Selecting the right camera solution.
– Power supply in case of power failure.
– Ability to store video if connections to the security office is down.
• Where to place cameras?
– Identify probable paths of approach and hidden areas.
– Monitor the perimeter barrier, gates, doors to restricted areas, inside restricted areas, and roofs.

30
 Non-visual detection solutions
• Guards can sometimes miss something that quickly passes across a monitor.
• It is not always possible to place cameras at all points of entry.
• It is important to know where the intruder is at all times.
• Non-visual detection and alarm solutions must support visual controls.
• Examples of non-visual detection systems:
– Dry contact switch:
• A connection is made between two foil strips.
• For example, one strip is placed on the window sill and the other on the window.
• If the window is opened, the connection is broken and an alarm condition initiated.
– Pressure mat: An alarm condition initiates when stepping on the mat.
– Photoelectric or photometric:
• A light beam establishes a connection between an emitter and a receiver.
• An alarm condition exists when the beam is broken.
– Passive infrared: Changes in a room’s heat patterns initiate an alarm.
– Audio/acoustic: Detects changes in ambient noise levels.

31
 Response
• Detect the intruder during initial site penetration, if possible.
• Assess conditions that activate alarms (e.g. false alarms, probable target, number
of intruders, etc.).
• Track/Contain the intruder until first responders arrive.
– Contain or hinder intruder progress only if it is safe to do so.
• Apprehend the intruder: a role assumed by first responders.
• Manage the incident, including root-cause analysis to identify:
– what happened
– what should have happened
– how to improve deterrence, delay, detection, and response activities.

32
 Authentication
• Authentication is the process by which a user proves that she is
who she says she is.
• Authentication is performed to allow or deny a person access to a
physical space.
• The heart of any access control system is to allow access only to
authorized users.
• Most electronic systems currently use a token-based card.
• Newer technology attempts to make the authentication process
easier and more secure.

33
 Types of Authentication
• Something you have: tokens (e.g. keys, contactless access cards)
• Something you are: biometrics
• Something you know: password-style systems
• Somewhere you are: it prohibits two logins from different areas,
or the login from a country or location you could not possibly be in.
• Multiple-factor authentication: The combination of two or more of
these systems.

34
 Electronic Access Control Systems
• Many organizations use electronic access control systems to control
the opening of doors typically through the use of access tokens.
• These devices are integrated into a centralized access control
system that controls and logs entry into all the doors connected to it.
• Security is improved by having a centralized system that can instantly
grant or refuse access based upon a token that is given to the user.
• This kind of system also logs user access, providing information of a
specific user’s presence in a controlled environment, and real-time
monitoring of the access controls.

35
[Link]
 Access Tokens
• An access token is a physical object (“something you have”) that
identifies specific access rights.
• Examples: keys, access cards.
• Problem of token-based authentication: only the token is
authenticated.
• The theft of the token could grant access to anyone who possessed
the token.

36
 Contactless Access Cards and Readers
• Physical access authentication using contactless radio frequency cards and
readers.
• The card sends out a code using radio waves.
• The reader picks up this code and transmits it to the control panel.
• The control panel checks the code against the type of access the card has in
its database.
• Advantages:
• Any card can be deleted from the system without affecting any other card
or the rest of the system.
• The cards can be grouped in multiple ways to provide different access levels
to different groups of people.
• Access levels can be modified quickly and easily if building space is re-
tasked.
• The advent of smart cards (cards that contain integrated circuits capable of
generating and storing cryptographic keys) has enabled cryptographic types of
authentication.
• The risk of theft of the token can be offset by the use of multiple-factor
authentication (e.g. adding a biometric factor to the system).
37
 Biometrics
• Biometrics use the measurements of certain biological factors to
distinguish one specific person from others.
• These factors are based on parts of the human body that are unique.
– fingerprint
– retina or iris of the eye
– geometry of the hand or the face
• Problem: An analog signal might not always encode the exact same
way.
• Example: Face-based biometrics system may deny access to a person
with a bandage on his chin.
• False positives and false negatives are two issues with biometric
scanners.

38
 False Positives and False Negatives
• A false positive occurs when a biometric is scanned and
allows access to someone who is not authorized
– For example, two people who have very similar fingerprints
might be recognized as the same person by the computer,
which grants access to the wrong person.
• A false negative occurs when the system denies access
to someone who is actually authorized
– For example, a user at the hand geometry scanner forgot to
wear a ring he usually wears and the computer does not
recognize his hand and denies him access.

39
 Other Issues with Biometrics
• If someone is able to steal the uniqueness factor that
the machine scans (e.g. your fingerprint from a glass)
and is able to reproduce that factor in a substance that
fools the scanner, that person will have access privileges.
• Parts of the human body can change.
• Therefore, the biometric system should allow a higher
tolerance for variance in the biometric being read.

40
 Multiple-factor Authentication
• Is the combination of two or more types of
authentication.
• Examples
– A card reader that then turns on a fingerprint scanner.
– A smart card reader that asks for a PIN before enabling a retina
scanner.
• Using multiple factors is one of the best ways to ensure
proper authentication and access control.

41
References
AMC. (2012). Vibration Detection Fencing. Retrieved December 11, 2012, from AMC Security Products:
[Link]
Artisan Precast. (2011). Concrete Walls. Retrieved March 17, 2012, from [Link]
Brain, M., & Harris, T. (2012). How Lock Picking Works. Retrieved December 8, 2012, from HowStuffWorks:
[Link]
Hercules. (2012). Hercules Fence. Retrieved March 19, 2012, from [Link]
IT. (2007). Intrusion and Burglary. Retrieved December 11, 2012, from Installation Technologies:
[Link]
KrackMaster. (2012). Picking New High Security Door Locks. Retrieved December 8, 2012, from Liberty References: [Link]
Midpoint. (2009). System Diagram. Retrieved March 23, 2012, from Midpoint Security: [Link]
[Link]/access_control_system_diagram.php
NEUSS. (2010). Crash Gate Drawing. Retrieved March 19, 2012, from Neu Security Services:
[Link]
Newton. (2012). The TDAR Anti-Tailgating Anti-Piggybacking Barrier for Mantraps. Retrieved March 19, 2012, from Newton Security, Inc.:
[Link]
NFESC. (1993). Design Guidelines for Physical Security of Facilities, MIL-HDBK-1013/1A. Port Hueneme, California: Naval Facilities
Engineering Service Center.
Olzak, T. (2008, December 29). Anatomy of a Small Business Break-in. Retrieved December 10, 2012, from CBS Interactive/TechRepublic:
[Link]
Olzak, T. (2010(b), August 10). Physical Security Locks, Biometrics, and Other Fallacies. Retrieved March 21, 2012, from CBS
Interactive/TechRepublic: [Link]
Olzak, T. (2012). Physical Security: Human Intrustion Defense. CBS Interactive/TechRepublic.
Olzak, T. (2010, August 16). The Art of Physical, Outer Perimeter Security. CBS Interactive/TechRepublic . Retrieved March 16, 2012, from
[Link]
Peerless. (n.d.). Top 10 Myths About Lock Security. Retrieved March 22, 2012, from Peerless Door Locks:
[Link]
Tonbridge. (n.d.). Pedestrian Gate and Door Access. Retrieved March 19, 2012, from Tonbridge Fencing:
[Link]
U.S. Army. (2010). Physical Security, ATTP 3-39.32. United States Army.
USGS. (2005). U.S. Geological Survey Manual: Physical Security Handbook, 440-2-H. United States Department of the Interior.

[Link] 42