The 8 most significant ways physical security has evolved
by Grant Hatchimonji, csoonline.comJanuary 21st 2014
— CSO — Physical security has come a long way since the advent of the lock and key. But for all of its changes, the greatest aspect of the evolution of physical security is how it has begun to mesh with our digital world.
See the related slideshow
“What we’re seeing is the merging of electronic and physical spaces,” says Chris Nickerson, founder and chief consultant at Lares Consulting. “We’ve gone away from straight physical security to working with the social and electronic sides to make sure that a person is who they say they are.”
But with evolution comes a fresh set of risks and vulnerabilities, only some of which we’ve learned to ameliorate. In order to make physical security work for us, we need to fully understand the new technologies that we’re incorporating into it. “We’ve made big advancements, but we’ve been adopting them without learning them, so we’ve exposed ourselves in a way that we haven’t before in physical security,” says Nickerson. “Risk is understanding what you’re doing, not how. If you know what you’re using and you use it well, then there’s no risk.”
What follows, then, are eight of the most significant developments that have occurred over time in the field of physical security, and how some of them still stand to be advanced.
1. RFID Badges
Most buildings these days incorporate RFID badges in some capacity. The badges, which contain two crucial pieces of information – the site code and the individual badge ID – allow employees to swipe their card in close proximity to a scanner in order to gain access to certain areas. “They’re good for logging who’s going in and what time,” says Nickerson. “RFID has its vulnerabilities, but it’s still better than actual keys, where you can get a hold of a master key.”
Indeed, RFID badges are rife with security flaws. They are easily cloned, for example, and brute force attacks can be used to take advantage of the fact that badge ID numbers are typically incremental (though the other aspect of the badge, the site code, is more of a secret). “Most web app are smart enough to lock you out [after multiple failed attempt],” says Nickerson. “But RFID? You can brute force it all day long. Most systems don’t even alert you if someone’s tried a million times.”
[Researchers show ways to bypass home and office security systems]
Also, some companies take their RFID systems and move it to external cloud providers. All an attacker has to do is hack the provider’s website and suddenly they have access to all of the buildings that use that cloud service. “These are standard electronic access systems that, by having some sort of centralized servers, can talk to all the readers,” says Nickerson. “Within a couple of hours, you can find all sorts of ways to open the doors.”
2. Video surveillance
Video surveillance has been around for quite some time now, but it has improved drastically since its inception. Video surveillance is now sophisticated enough to incorporate facial recognition (see #8 on this list), and higher quality cameras are creating footage that is sharper than ever. “HD is now standard, and getting above HD is now becoming mainstream,” says Jay Hauhn, CTO and vice president of industry relations for Tyco Integrated Security. “Megapixel cameras on the video security side give you great picture.”
But with that comes the major challenge of streaming such high-quality footage over the network. “Bandwidth is not your friend when you’re dealing with video,” says Hauhn. “So we’re also taking advantage of the tech breakthroughs in the consumer world and using them to push more video down the pipe.”
3. Perimeter security systems
No longer do we need to rely solely on walls or fences for guarding a facility’s perimeter, thanks to the advances in perimeter monitoring systems. Some systems now use microwaves or radio waves to establish a perimeter and can alert security teams when the protected area is being encroached upon. “So you can see who’s outside the area and be alerted beforehand,” says Nickerson. “It’s a huge advancement for the early warning side of things.”
4. Iris recognition
Striking a balance between being both accurate and non-invasive, iris recognition now allows security teams to identify people based solely on the pattern of their eye. “I’m a huge fan of iris recognition, since the patterns are more unique than DNA,” says Hauhn. “Irises are really good for being captured by a high resolution camera at a distance.”
[Cybercrime service automates creation of fake scanned IDs, other verification docs]
Like facial recognition, it’s possible to bypass iris recognition technology with a still photo of someone else’s eye, but Hauhn maintains that it’s not as easily fooled. After all, as Hauhn points out, “Try to get a good picture of an eye and do that.”
5. Security guards and photo ID badges
There’s something to be said for a good, old-fashioned pair of eyes. With the use of RFID cards and outsourced access systems, the human element of security is being lost. Knowing who has been coming into the building for years – or perhaps noticing that a person is using someone else’s photo ID badge simply because their face isn’t the one on the card – are things a machine can’t do, but a human can.
“That relationship to the environment is what you’re losing,” says Nickerson. “Let’s say I’ve been working at the front desk for 10 years. I know your face. I may even be able to tell that you’re not supposed to be there even based on a feeling. A lot of that is being lost.”
6. Security linked to mobile devices
It’s not uncommon these days to have security systems – especially home security systems – linked to a mobile device. Smart sensors, wireless deadbolts, and remote control security/utility systems can all be controlled be a user’s mobile device. But some say with such convenience comes compromised security.
“While these are all nice convenient ways to keep your house ‘safe,’ at the same time, it’s all through a cell phone, a major target now of thieves, hackers, malware writers, etc.,” says Ryan Jones, managing consultant at Lares Consulting.
Though attackers can physically get their hands on your phone to get the keys to the castle – “People can’t seem to help thsemselves but lose their phones or have them stolen,” says Jones – they may not even need to. “I see there being a problem in the future with spoofing someone’s phone and unlocking their house and shutting off their alarm,” he adds.
[Researcher finds major security holes in IZON surveillance camera]
In the near term, Jones suggests that people take simple security measures to protect their security systems, like using phone locks in case their phone is lost or stolen. But in the long run, better quality control is the key. “You have these executives and celebrities who don’t lock their phones because it’s an inconvenience, but people need to actually use [phone locks],” he says. “In the long term…as more people buy in, there will hopefully be more proper testing done before they are released to the market.”
7. Fingerprint scanning
Fingerprint scanning not only ups the level of security at an access point by requiring identification that is unique to each person, it also allows security systems to keep track of who is entering the facility. “It’s just being able to say that [this person] went through this door at this time&there’s a huge difference between that and, ‘It’s a key. I really have no idea who the owner was,'” says Nickerson. “It’s the biggest advancement we have.”
Fingerprint scanning technology is far from perfect, however; fingerprints can be lifted and copied through the use gelatinous materials, for example. But as Nickerson points out, makers of security systems that use biometrics have, for whatever reason, made greater advances in ameliorating their flaws. “Manufacturers have started putting heat sensors…and pressure and heat mapping behind the scanner,” he says. “So now, the scan also has to match the person’s vein structure. It’s those multiple factors of authentication that have made biometrics so great.”
8. Facial recognition
Part of the advancements that have been made in video surveillance is facial recognition coding. Facial recognition has become so advanced that it can not only be used to verify that somebody is who they say they are, it can also be used to pick a person out of the crowd and even determine if they’re up to no good.
“You can use facial action coding, heart rate, and eye and retinal changes of any size to determine deception,” says Nickerson, who used the example of facial recognition coding systems being used in casinos in Las Vegas to sniff out cheaters at the tables or to keep them out of the building entirely. “Law enforcement in Vegas can take generic images of people and use real-time monitoring in casinos for those threats,” he adds.
Some experts argue that facial recognition has a long way to go; those trying to keep a low profile can simply pull down their hats or cover their faces, while verification systems can easily be fooled by a picture of a person’s face.
Hauhn used the example of how law enforcement in Florida used video surveillance with facial recognition of everyone who had warrants in the state when it hosted the Super Bowl some 10 years ago. He claimed that there were thousands of false positives, but Nickerson maintains that despite its flaws, the technology is advanced enough to be trusted.
“In terms of both surveillance and monitoring entry points, it has exponentially improved the amount of control and accuracy we have,” says Nickerson.
Read more about physical security in CSOonline’s Physical Security section.