In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization. It is all about the physical security of the of the organization using the information technology and for the purpose of the restricting the access of unauthorized people and unauthorized employees. Saving your organization physically.
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization. It is all about the physical security of the of the organization using the information technology and for the purpose of the restricting the access of unauthorized people and unauthorized employees. Saving your organization physically.
Awareness Training on Information SecurityKen Holmes
We look at the potential risks to information security, how to minimise these when on the internet and how the ISO/IEC 27001 standard can play a part in doing so.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
Computer , Internet and physical security.Ankur Kumar
It refers to protection of a computer and the information stored in it, from the unauthorised users.
Computer security is a branch of computer technology known as information security as applied to computers and networks.
Awareness Training on Information SecurityKen Holmes
We look at the potential risks to information security, how to minimise these when on the internet and how the ISO/IEC 27001 standard can play a part in doing so.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
Computer , Internet and physical security.Ankur Kumar
It refers to protection of a computer and the information stored in it, from the unauthorised users.
Computer security is a branch of computer technology known as information security as applied to computers and networks.
Project developed during the MFA in Graphic Design offered by Miami University. The presentation conveys concerning fact about the world and advocates social and sustainable design initiatives.
Webinar - Preventing Workplace Bullying with Timothy DimoffCase IQ
Timothy Dimoff, President of SACS Consulting and Investigative Services Inc., shares tips for preventing workplace bullying. The webinar, presented by i-Sight, also reviews the importance of employee handbooks, the effects of bullying in the workplace and the importance of investigating allegations of bullying.
Is Your Data Literally Walking Out the Door?Mike Saunders
Your network security doesn't matter if an attacker can enter your facility and walk off with your critical assets and sensitive data, or attach a back door to your network. This presentation provides an introductory overview of physical security from an attacker's perspective.
Chapter 6
Authenticating People
Chapter 6 Overview
The three authentication factors: what you know, you have, and you are
Passwords, password bias, and search space calculations
Cryptographic building blocks: random choice, one-way hash
Authentication devices: personal tokens and biometrics
Basic issues in authentication policy
Elements of Authentication
Authentication Factors
Something you know
Password or PIN
Something you have
Key or token
Something you are
Personal trait
Traditional parallel terms:
Something you know, are, have
Multi-factor Authentication
Using different factors in authentication
NOT two or three instances of the same factor
Two-factor authentication
ATM authentication: ATM card + PIN
Biometric laptop: Fingerprint + password
NOT: Password + PIN
Three-factor authentication
Biometric access card: fingerprint + card + PIN
NOT: fingerprint + PIN + password
Authentication Threats
Focus in this chapter
Trick the authentication system or access assets through the system
No “remote” attacks via Internet or LAN
Threats must have physical access to system
Range of threats
Weak threat – authentication is effective
Strong threat – authentication may work
Extreme threat – authentication not effective
Attacks on Authentication
Password Authentication
Each User ID is associated with a secret
User presents the secret when logging in
System checks the secret against the authentication database
Access granted if the secret matches
Risks
Shoulder surfing at the keyboard
Reading the password off of printer paper
Sniffing the password in transit or in RAM
Retrieving the authentication database
Password Hashing
One-Way Hash Functions
A Cryptographic Building Block function
We will see more building blocks later
Input:
An arbitrarily large amount of data, from a few bytes to terabytes – RAM or files or devices
Output:
A fixed-size result
Impractical to reverse
Minor change to input = big change to output
Sniffing Passwords
Goal: intercept the password before it is hashed
Keystroke loggers
In hardware: Devices that connect to a keyboard's USB cable
In software: Procedures that eavesdrop on keyboard input buffers
Password Guessing
DOD Password Guideline (1985) required a minimum 1 in a million chance of successful guessing.
This was designed to defeat interactive password guessing: A person or machine made numerous guesses
Some guessing succeeds based on social and personal knowledge of the targeted victim
Modern network-based guessing can try tens of thousands of alternatives very quickly.
Off-line Password Cracking
How Fast Is Off-line Cracking?
It depends on the size of the search space
i.e., how many legal – or likely – passwords?
Legal passwords are limited to specific sets of characters, typically from the ASCII set
Single-case letters only:
Two letter passwords = 262
Three letter passwords = 263
… etc.
Password with L letters = 26L
Increasing the Search Space
Two options
Increase L – the length of pas ...
Step Into Security Webinar - Physical Security Integration & Access Control -...Keith Harris
In LENSEC’s Step Into Security webinar, we take a look at integrations for physical security with a special focus on access control. In Part One, we focus on concepts and components.
Recently, access control has made big strides in technology incorporating biometrics, integrating with other security products, and moving to a digital deployment among other things. We'll provide an overview for end-users and security personnel.
LENSEC physical security expert Keith Harris will be presenting this topic. Keith is a veteran expert with extensive knowledge of security equipment. Keith has experience working with educators, law enforcement and others developing security solutions to meet their needs.
Please register for the upcoming webinar. Share this info with your colleagues and invite them to join us.
WEBINAR AGENDA:
• Access Control Deployment
• Building & Fire Codes
• Security Integration
• Choosing Components
Step Into Security Webinar Archive:
http://bit.ly/StepIntoSecurityWebinarArchive
You may be compliant, but are you really secure?Thomas Burg
Presented by Greg Swedosh from Knightcraft Technology (www.knightcraft.com) at NonStop Bootcamp 2014.
This presentation explains why being PCI compliant does *not* equal being secure. While this is a general statement, the presentation does focus on the HP NonStop platform.
Excerpt from a summary slide:
Without a strong commitment to security by the executive team, being compliant only provides a false sense of security.
It often just becomes about ticking boxes and “filling gaps”.
Where there is no serious commitment to security, an organization will always be significantly more vulnerable.
1. Avoiding getting owned without knowing it Physical Security in the Workplace By: Mitch Capper and Doug Farre
2. This Presentation We only have 45 minutes Won’t be covering: Mechanical lock details High security mechanical lock details Latest high security exploits details Goal is to help you evaluate a ‘secure’ area to see possible holes in security
3. What is most important to you? Your Data Your Contacts Your Customers Confidence Your Inventory Your Employees
4. Security Budget Virtual Security: Firewalls Anti-virus IDSs VPNs System administrators Auditing and review Segmented networks Encryption and training Software Updates and Group Policies
5. Your Virtual Security Setup IS GREAT Keeps the virtual bad guys out Stops drive by and 0 day exploits like no others Has kept your company secrets secure for many years
6. Compromising Virtual Security Physical key loggers Bios level rootkits with FDE and virtualization Live malware Cold boot attacks
7. Physical Security is Trump Most virtual security monitors the border Secure data can only be defined as offline and encrypted At the end of the day there is only one undeniable fact: Physical Access means 100% data vulnerability
8. Why don’t people think about Physical Security? Don’t think it’s a threat Impossible to secure Not enough resources or knowledge Haven’t got around to it
9. Espionage Frequently use physical attacks Over 100 billion annually in cost Large attacks can be “game over” Social Engineering w/ minimal physical attacks have accomplished most large attacks
10. Social Engineering and Information Gathering Social Engineering Co-worker Salesman Interviews Reference checks Impersonation Information Gathering Interviews Prospective clients Public tours Dumpster diving Off-site observation Internet
11. Lets Talk Physical Security Breaks down to 5 main areas: Mechanical Access Control Electronic Access Control Alarm Systems Surveillance Egress Devices
14. Alarm Systems Must be hardwired Expensive Install 4 main sensor connection types: Trip on fail Circuit always connected ‘Constant Monitoring’ Magnetic Coupling Use GSM or Phone for reporting Spend most of their time off Response Time
18. Electronic Access Control Handling of lost keys/terminated employees Easy to reprogram/rekey Advanced control (blackout times, use counts etc…) Provides AUDITING
23. EAC: Fail Most devices/systems use Weigand Protocol, think clear text over hard wire Mechanical Lock Backup No destructive attack resistance
24. Mechanical Locks: Attacks Key Duplication Bumping Picking Impressioning Rights Escalation in Master Key Systems Bypass
25. MLA: Key Duplication All non high security locks Some high security locks Key duplicators Clay Molding Silicon Casting
26. MLA: Bumping Requires a bump key A blank or key in the system A file Can be purchased online for under $5 a key All non high security Some high security Low barrier to entry
27. MLA: Picking Most people can pick an easy lock in 5-30 minutes of initially being given the tools and minimal instruction Within months of casual practice most can open most non-high security locks both pin tumbler and wafer. Large picking community www.lockpicking101.com
30. MLA: Adam Rite Wires Effected huge numbers of locks Lock/Egress combined attack
31. MLA: Impressioning Key from the lock Key Blanks, File Skilled Attack The art of a locksmith
32. MLA: Rights Escalation in MK Systems Matt Blaze from AT&T Labs -2002 No technical skill required One key to the system, one lock, 5-7 key blanks, and a file Under desk attack
33. High Security Locks Abloy, ASSA, Bilock, Medeco, Mul-T-Lock, Schlage (Primus) Should be: bump resistant hard to pick hard to duplicate keys hard to drill Industrial Locks
34. HSL: Problems Changing Keys is a pain Even some high security locks suffer from varying degrees of standard attacks (bumping, rights amplification, key duplication) Getting unique blanks very hard for anyone short of the largest companies
35. HSL: Ground Zero Mechanical locks usually are what is in-between the outside world and the sensitive data One of few Active Preventions Low investment can greatly enhance security Frequently Overlooked
37. Proper Physical Security Layers Look not just at how you are supposed to enter, but alternate methods/exit ways Dual authentication separate electronic with mechanical authentication
38. Combined Physical/Electronic Locks Combined cylinders (Say AssaAbloy Brand’s Cliq) try to bridge gaps and minimize costs Most brand systems (Medeco, Assa, Mul-t-lock) are already compromised AbloyProtecCliq still safe (also only mechanical lock for that matter)
40. Questions? Our email is at @SecuritySnobsdot com (first name @) Mitch Capper Doug Farre
41. MLA: Rights Escalation – The How File each of the 5 keys to the same depths of the normal user key skipping one of each position on each key Put non working key in door try it If doesn’t work file the one unfiled position Try again until works If works and is same height as normal key keep filing, otherwise the key is done Once all keys are done, compare each to the original and make the GMK of different heights
Editor's Notes
-Ourselves and Background-Talk name-Tag Line*Background in mechanical locks and mechanical lock compromise*My personnel background: currently do project management at a medium size IT service company; recently gave presentation in New York and Las Vegas on recent high security lock compriomises, and identification card security
0:22-Half day talk worth of material in 45 min-Not: mechanical or high sec locks or exploits, buying-Help you understand and evaluate secure areas*These things don’t effect much except what locks to stay away from and what to buy (which we could easily just tell you strait up).*Broader topic
0:53-First step is deciding what to secure-Then what money you are comfortable spending to secure it*What is important to you, and how much money do you have?
1:19-Lets talk about your security budget-What Security Budget? -Yearly budget-Not always case but most invest once in physical security vs ongoing on virtual*Lets talk about your security budget, some are saying “what security budget””*Many organizations have have virtual security budget allocation and but choose to just invest in physical security on a case by case basis*One of the goals of this presentation is to help your realize that virtual security should have its own separate budget allocation
1:45-Best Case-slides
2:00-Slides-Apple firmware key logger-Live malware even in generic download malware
4:05-Slides
4:30-Slides
5:30-Internal and External espionage both use physical attacks as low skill-FBI 100 Billion-End game for biz-Social Engineer + minimal phys all that was required for most major espionage*Takes someone with training to copmromis a secure virtual system*Social Engineer + minimal phys all that was required for most major espionage
6:25-Don’t need Social Engineering but don’t hurt
6:45-5 main areas-Slides*ElectronicAC: wide range *Egress: any hardware that involves in/out – frequently overlooked.
7:50-Lets talk latches-What are standard latches / found in all exist and some entry-slides*A latch is in all doors that will remain closed without being locked*To open a latch just means depressing it*Guards: prevent shimmin*Deadlatch (if the bar is all the way out then the latch can be depressed)
9:50-Most don’t think about-Slides-Simple under door/ Balloon*push bars – for exits but drill a hole and use a wire*button: access from the other side*infared/motion sensor: wiggle under door, baloon
12:00-Once understood not overly complex/secure-Read Slides-false alarms / remote / response time
15:40-Things attacker wont know /will trip/ or etc…-Slides
16:15-Cameras good record lots if resolution k good for identification-Not aware of breaches right away -Even 24/7 monitored not obvious-Id cards not inspected easy dupe-Guards respond not detect, 2 guards
18:10-Easy replay streams-Hard to cover all areas-Most not High Quality
18:35-EAC used by most major medium/large and some small-Slides-Auditing not always secure