Locking picking is the art of opening a lock without keys. A set of lock picks can be used to lift the pins in a pin tumbler lock, allowing the attacker to open the lock without a key.
A newer technique called lock bumping allows the attacker to quickly open the lock by using a shaved down key and bumping the exposed portion causing the pins to jump. At that instant the attacker turns the key to unlock.
Higher end locks will typically take longer to pick or bump. A risk analysis will determine the proper type of lock to use, and this “attack time” of a lock should be considered as part of the defense in depth strategy.
Master and Core Keys
- Master Key – Opens any lock for a given security zone.
- Core Key – is used to remove the lock core in interchangeable core locks. Once removed, the door maybe opened with a screwdriver
Combination locks have dials that must be turned to specific numbers in order to unlock. Button and keypad locks are a type of combination lock.
Weaknesses: Limited accountability due to shared combinations, attacker can infer numbers due to lock wear, prone to brute force attack and shoulder surfing.
Smart cards and Magnetic Swipe cards
Smartcards (ICC – Integrated Circuit Cards) can be contact or contactless (wireless) often used as locks, credit card purchases or dual factor authentication systems. Contactless cards uses RFID tags.
Magnetic (swipe) Stripe cards are passive cards that contains a magnetic stripe that stores information.
Both types of cards maybe used in combination with electronic locks to provide physical access control and is superior in accountability compared to mechanical locks as the data can be logged and audited.
Occurs when an unauthorized person follows an authorized person into a building after the authorized person unlocks the door. The attacker often combines social engineering techniques (ie carrying large boxes) so that the user will help out.
Mantraps and turnstiles
- Mantrap – preventative physical control with two doors. The first door must close before the second door can open.
- Turnstiles – Designed to prevent tailgating by enforcing one person authentication rule. Secure revolving doors perform the same function.
Ex. Airport Security. Used to detect metals, weapons or explosives. Another concern is portable cameras or storage media that maybe used to exfiltrate sensitive data. Defense in depth strategies such as port blocking should be utilized.
Motion Detectors and other perimeter alarms
Motion detectors is a physical intrusion detection system used to detect moving objects (persons) by using the doppler effect by bouncing beams (ultrasonic, microwaves infrared) and receiving the echoes. These are active sensors. Passive sensors such as PIR (passive infrared) detects infrared energy emitted by the body.
Perimeter alarms include magnetics door and window alarms. The function like a electronic circuit, when opened (ie door opens or window opens) the alarm is triggered.
Doors and Windows
Always consider relative strengths and weaknesses of doors, windows and walls. Attackers always target the weakest link.
- Doors – Hinges should face inwards or be otherwise protected, Egress must be unimpeded incase of emergency, internal motion sensors should be fixed on sturdy ceiling or wall so that external attackers cannot trigger motion easily via violent bumps or slipping paper underneath the door. Emergency doors should be marked with emergency with panic bars that alarms when triggered.
- Windows – Bullet proof or explosive resistant should be used on secured areas, wired mesh or security film can lower danger of shattered glass. Use of simple glass requires a compensating control such as burglar alarms. Alternative materials to glass include Lexan (used in racecars/planes) and acrylic such as plexiglass.
Walls, Floors, Ceilings
Walls protecting the DC (or secure areas) should be slab to slab – floor to ceiling. The walls should be strong enough to resist cutting. The walls should have an appropriate fire rating commensurate with exposure, but not less than one hour.
Guards are a dynamic control, can be used to aid inspection of access credentials, monitor CCTVs, Monitor environment controls, respond to incidents, act as a deterrent. A pseudo guard means an unarmed security guard. A guards order’s should be complete and clear but policies in binders sitting on shelves are not enough. They maybe made aware of security risks. Guards can be attacked via social engineering which can be addressed via security awareness and training.
Perimeter defense duties placed in controlled areas between exterior building and perimeter fence serving as both deterrent and detective controls. Dogs are trained to corner and only bite when suspect flees. They can become a legal liabilty.
Restricted work areas and escorts
Areas maybe restricted by space (Authorized personnel only ) or time (time based visitor badges). To mitigate visitor badge reuse badges can be set to automatically expire, or printing valid dates and time usage in bold on badge, or use different color badges for different days of the week. Regular personnel or security guards may escort visitors. They should be made aware of dangers such as social engineering attacks, and should be trained to challenge visitors who lacks badge or escort.