No announcement yet.

Physical Security - Locks & Biometrics

  • Filter
  • Time
  • Show
Clear All
new posts

  • Physical Security - Locks & Biometrics

    Many types of locks exist and are an effective means of physical access control. Locks are by far the most widely implemented control and one reason is the wide range of options available as well as the low cost. Even stores that are open 24/7 have locks, not for the same reasons but because they need to have the option to lock the door if clerk discover a malicious person such as a robber and may have time to lock the door before he can enter.

    Two main types of locks exists
    • Mechanical locks
      • Pin-tumblers
      • wafer locks
      • etc.
    • Cipher locks
      • Electronic locks
      • combination locks
      • etc.

    Mechanical locks such as warded or pin-tumbler locks are mechanical and require a key of some sort to open. Cipher locks are electronic locks often equipped with a keypad for typing in codes. Cipher locks are no more secure than mechanical locks and even though pin-tumbler locks and cipher locks rarely have the same vulnerabilities they may be equally easy or hard to open without the correct key or code. Locks are good physical deterrents and work quite well as a delaying control but some locks can be bypassed or picked. Lock picking is not the fastest way to overcome a lock but can be used to avoid detection as it is a stealthy way to gain access and the organization may not realize what has happened until much later.
    Some locks uses contactless cards such as Radio-frequency Identification RFID cards or contactless cards that does not require the card to be inserted or slid through a reader. These cards have a small chip and an antenna and are passive in nature meaning they do not have a battery or other power source attached. RFID cards are powered by an electromagnetic field by the card reader that induces a current that will power the chip in the card.
    Another control in the category of physical access is biometrics and can be implemented as a type of authentication system. Biometrics is based on a behavioral or physiological characteristic that is unique to an individual. This kind of authentication is a accepted replacement for password-based authentication or as two-factor authentication in combination with passwords or pin codes. The accuracy of a biometric device is measured by the percentages of two types of errors it produces. Type one errors are false positives or the False Acceptance Rate (FAR) and define the percentage of individuals that was allowed access but should not have been allowed access. Type two errors are false negatives or False Rejection Rate (FRR) and define the percentage of individuals that was denied access but should have been allowed access.

    A list of biometric systems include the following
    • Finger Scan Systems - This system is widely used and often available on devices such as laptops and even some modern smart phones.
    • Hand Geometry Systems - This system functions by measuring the unique geometry of a user's fingers and hand for identification.
    • Palm Scan Systems - This system attempts to measure the creases and ridges of a user's palm for identification.
    • Retina Pattern Systems - This system examine the user's retina pattern and is very accurate.
    • Iris Recognition - This eye recognition system matches the user's blood vessels on the back of the eye and is also very accurate.
    • Voice Recognition - This system analyzes the user's voice for identification.
    • Keyboard Dynamics - This method analyzes the user's speed and pattern when typing.

    When opting for biometrics or any other authentication method as a physical control, keep in mind the environment it is being implemented in. If it is in place in a large organization and most employees go to work at the same time, you could be creating a bottle neck of employees waiting to access the building. Especially if all or most employees use the same entrance or exit and the organization uses biometrics in combination with a mantrap. If authentication takes a long time and some users have to attempt authentication more than once because of type two errors it may quickly turn in to a hassle and employees may start holding the door open for each other effectively defeating your control.
    Certified Security Geek