83-10-15 Physical Security
All computer or information security programs begin with protecting the physical
environment. With the advent of workstations, laptops, and telecommuting, providing
adequate physical security has become a major challenge. This article examines current
techniques for securing the entire enterprise most cost effectively, including the latest
developments in biometrics.
Before any controls can be implemented into the workplace, it is necessary to assess the
current level of security. This can be accomplished in a number of ways. The easiest one is
a Òwalk-about.Ó After hours, walk through the facility and check for five key controls:
á Office doors are locked.
á Desks and cabinets are locked.
á Workstations are secured.
á Diskettes are secured.
á Company information is secured.
Checking for these five key control elements will give you a basic understanding of the
level of controls already in place and a benchmark for measuring improvements once a
security control system is implemented. Typically, this review will nearly show a 90%
control deficiency rate. A second review is recommended 6 to 9 months after the new
security controls are in place.
This article examines two key elements of basic computer security: physical security
and biometrics. Physical security protects your organization's physical computer facilities.
It includes access to the building, to the computer room(s), to the computers (mainframe,
mini, and micros), to the magnetic media, and to other media. Biometrics devices record
physical traits (i.e., fingerprint, palm-print, facial features, etc.) or behavioral traits
(signature, typing habits, etc.).
A Brief History
In the beginning of the computer age, it was easy to protect the systems; they were locked
away in a lab and only a select few ÒwizardsÓ were granted access. Today, computers are
cheaper, smaller, and more accessible to almost everyone.
During the mid-twentieth century, the worldwide market for mainframe computer
systems exploded. As the third-generation systems became available in the 1960s,
companies began to understand their dependence on these systems. By the midÐ to late-
1970s, the security industry began to catch up, with Halon fire suppression systems, card
access, and RACF and ACF2. In the final quarter of the century, mainframe-centered
computing was at its zenith.
By 1983, the affordable portable computer began to change the working landscape for
information security professionals. An exodus from the mainframe to the desktop began.
The controls that had been so hard won in the previous two decades were now considered
the cause of much bureaucracy. Physical security is now needed in desktops. For years,
conventional thinking was that a computer is a computer is a computer is a computer.
Controls are even more important in the desktop or workstation environment than in the
The computing environment is now moving from the desktop to the user. With the
acceptance of telecommuting, the next challenge will be to apply physical security solutions
to the user-centered computing environment.
With computers on every desk connected via networks to other local and remote
systems, physical security needs must be reviewed and upgraded wherever necessary.
Advances in computer and communications security are not enough; physical security
remains a vitally important component of an overall information security plan.
Where to Focus Attention
Before implementing any form of physical security, it may be helpful to conduct a limited
business impact analysis (BIA) to focus on existing threats to the computer systems and
determine where resources can best be spent. It is very important to consider all potential
threats, even unlikely ones. Ignore those with a zero likelihood, such as a tsunami in
Phoenix or a sandstorm in Maui. A very simple BIA could be diagramed as shown in
A Business Impact Analysis Example
An unlimited number of threats can be of concern to your organization. Any number of
high-likelihood threats can be identified. First consider those threats that might actually
affect your organization (e.g., fire, flood, or fraud). Three elements are generally
associated with each threat:
á The agent. The destructive agent can be a human, a machine, or nature.
á The motive. The only agent that can threaten accidentally and intentionally is human.
á The results. For the information systems community, this would be a loss of access
or unauthorized access, modification, or disclosure or destruction of data or
The focus of physical security has often been on human-made disasters, such as
sabotage, hacking, and human error. Don't forget that the same kinds of threats can also
occur from natural disasters.
Natural Disasters and Controls
A conflagration affects information systems through heat, smoke, or suppression agent
(e.g., fire extinguishers and water) damage. This threat category can be minor, major, and
Install smoke detectors near equipment. Keep fire extinguishers near equipment and
train employees in their proper use. Conduct regular fire evacuation exercises.
This type of disaster includes any interruption in the supply of controlled environmental
support provided to the operations center. Environmental controls include clean air, air
conditioning, humidity, and water.
Since humans and computers don't coexist well, try to keep them separate. Many
companies are establishing command centers for employees and a Òlights-outÓ environment
for the machines.
Keep all rooms containing computers at reasonable temperatures (60-75 degrees
Fahrenheit or 10-25 Celsius). Keep humidity levels at 20% to 70% and monitor
A violent ground motion results from stresses and movements of the earth's surface.
Keep computer systems away from glass and elevated surfaces. In high-risk areas,
secure the computers with anti-vibration devices.
A liquid inundation includes burst or leaking pipes and accidental discharge of
Keep liquid-proof covers near the equipment and install water detectors on the
structural floor near the computer systems.
An electrical charge of air can cause either direct lightning strikes to the facility or
surges due to strikes to electrical power transmission lines, transformers, and substations.
Install surge suppressers, store backups in grounded storage media, install and test
Uninterruptible Power Supply (UPS) and diesel generators.
A disruption in the electrical power supply, usually lasting longer than one-half hour,
can have serious business impact.
Install and test UPS, install line filters to control voltage spikes, and install anti-
The Human Factor
Recent FBI statistics indicate that 72% of all thefts, fraud, sabotage and accidents are
caused by companys' own employees. Another 15% to 20% comes from contractors and
consultants who are given access to buildings, systems, and information. Only about 5% to
8% is done by external people, yet the press and management focus mostly on them. The
typical computer criminal is a non-technical authorized user of the system who has been
around long enough to locate the control deficiencies.
When implementing control devices, make certain that the controls meet the
organization's needs. Include a review of internal access, and be certain that employees
meet the standards of due care imposed on external sources. ÒIntrudersÓ can include
anybody who is not authorized to enter a building, system, or data.
The first defense against instruders is to keep them out of the building or computer
room. However, because of cost-cutting measures in the past two decades, very few
computer facilities are guarded anymore. With computers everywhere, determining where
to install locks is a significant problem.
To gain access to any business environment, everybody should have to pass an
authentication and/or authorization test. The three ways of authenticating users involve
á That the user knows (a password).
á That the user has (a badge, key, card, or token).
á Of their physiognomy (fingerprint, retinal image, voice).
In addition to securing the campus, it may be necessary to secure the computers, networks,
disk drives, and electronic media. One method of securing a workstation is with an anchor
pad, a metal pad with locking rods secured to the surface of the workstation. The
mechanism is installed to the shell of the computer. These are available from many
Many organizations use cables and locks. Security cables are multi-strand, aircraft-type
steel cables affixed to the workstation with a permanently attached plate that anchors the
security cable to the desk or other fixture.
Disk locks are another way to secure the workstation. These small devices are quickly
inserted into the diskette slot and lock out any other diskette from the unit. They can
prevent unauthorized booting from diskettes and infection from viruses.
Cryptographic locks also prevent unauthorized access by rendering information
unreadable to unauthorized personnel. Encryption software does not impact day-to-day
operations while ensuring the confidentiality of sensitive business information.
Crypographic locks are cost-effective and easily available.
As human security forces shrink, there is more need to ensure that only authorized
personnel can get into the computer room. A token is an object the user carries to
authenticate his or her identity. These devices can be token cards, card readers, or biometric
devices. They have the same purpose: to validate the user to the system. The most prevalent
form is the card, an electric device that normally contains encoded information about the
individual who is authorized to carry it. Tokens are typically used with another type of
authentication. Many cipher locks have been replaced with token card access systems.
Challenge-response tokens supply passcodes that are generated using a challenge from
the process requesting authentication (such as the Security Dynamics'SecurID). Users enter
their assigned user IDs and passwords plus a password supplied by the token card. This
process requires that the user supply something they possess (the token) and something
that they know (the challenge/response process). This process makes passcode sniffing and
brute force attacks futile.
Challenge-response is an asynchronous process. An alternative to challenge-response is
the synchronous token that generates the password without the input of a challenge from
the system. It is synchronized with the authenticating computer when the user and token
combination is registered on the system.
For many years, photo identification badges have sufficed as a credential for most
people. With drivers' licenses, passports, and employee ID badges, the pictureÑalong
with the individual's statisticsÑsupplies enough information for the authentication process
to be completed. Most people flash the badge to the security guard or give a license to a
bank teller. Someone visually matches the ID holder's face to the information on the card.
The automatic teller machine (ATM) card is an improvement on the Òdumb cardÓ; these
ÒsmartÓ cards require the user to enter a personal ID number (PIN) along with the card to
gain access. The ATM compares the information encoded on the magnetic stripe with the
information entered at the ATM machine.
The smart card contains microchips that consist of a processor, memory used to store
programs and data, and some kind of user interface. Sensitive information is kept in a
secret read-only area in its memory, which is encoded during manufacturing and is
inaccessible to the card's owner. Typically, these cards use some form of cryptography that
protects the information. Not all smart cards work with card readers. A user inserts the card
into the reader, the system displays a message, and if there is a match, then the user is
Types of Access Cards
Access cards employ different types of technology to ensure authenticity:
á Photo ID cards contain a photograph of the user's face and are checked visually.
á Optical-coded cards contain tiny, photographically etched or laser-burned dots
representing binary zeros and ones that contain the individual's encoded ID number.
The card's protective lamination cannot be removed without destroying the data and
invalidating the card.
á Electric circuit cards contain a printed circuit pattern. When inserted into a reader, the
card closes certain electrical circuits.
á Magnetic cards, the most common form of access control card, contain magnetic
particles that contain, in encoded form, the user's permanent ID number. Data can be
encoded on the card, but the tape itself cannot be altered or copied.
á Metallic stripe cards contain rows of copper strips. The presence or absence of strips
determines the code.
Every person has unique physiological, behavioral, and morphological characteristics that
can be examined and quantified. Biometrics is the use of these characteristics to provide
positive personal identification. Fingerprints and signatures have been used for years to
prove an individual's identity, but individuals can be identified in many other ways.
Computerized biometrics identification systems examine a particular trait and use that
information to decide whether the user may enter a building, unlock a computer, or access
Biometric devices use some type of data input device, such as a video camera, retinal
scanner, or microphone, to collect information that is unique to the individual. A digitized
representation of a user's biometric characteristic(fingerprint, voice, etc.) is used in the
authentication process. This type of authentication is virtually spoof-proof and is never
misplaced. The data is relatively static but not necessarily secret. The advantage of this
authentication process is that it provides the correct data to the input devices.
The individual places a finger in or on a reader that scans the finger, digitizes the
fingerprint, and compares it against a stored fingerprint image in the file. This method can
be used to verify the identity of individuals or compare information against a database
covering many individuals for recognition. Performance:
á false rejection rate=9.4%
á false acceptance rate=0
á average processing time=7 seconds
This device requires that the user look into an eyepiece that laser-scans the pattern of the
blood vessels. The patterns are compared to provide positive identification. It costs about
á false rejection rate=1.5%
á false acceptance rate=1.5%
á average processing time=7 seconds
The system scans 10,000 points of information from a 2-inch square area of the human
palm. With the information, the system identifies the person as an impostor or authentic.
The typical price is $2,500. Performance:
á false rejection rate=0
á false acceptance rate=.00025%
á average processing time=2-3 seconds
This device uses three-dimensional hand geometry measurements to provide identification.
The typical price is $2,150. Performance:
á false rejection rate=.1%
á false acceptance rate=.1%
á average processing time=2-3 seconds
Using a camera mounted at the authentication place (gate, monitor, etc.)the device
compares the image of the person seeking entry with the stored image of the authorized
user indexed to the system. The typical price is $2,500.Performance:
á average processing time=2 seconds
When a person speaks a specified phrase into a microphone, this device analyzes the voice
pattern and compares it against a stored database. The price can run as high as $12,000 for
3,000 users. Performance:
á false rejection rate=8.2%
á false acceptance rate=.4%
á average processing time=2-3 seconds (response time is calculated after the password or
phrase is actually spoken into the voice verification system).
Security systems, passwords, locks, token cards, biometrics, and other authenification
devices are expected to function accurately from the moment they are installed, but it is the
management and testing that makes them work. There is little point in installing an elaborate
access control system for the computer room if the employees routinely use the emergency
fire exits. Employees must be trained in the proper use of physical security systems.
Access logs must be monitored and reconciled in a timely manner.
Training and awareness demands time, money, and personnel, but it is essential for
organizations to meet the challenges brought about by increased competition and reduced
resources. There must be a partnership between the technology and the employees. Figure
on spending at least as much time and resources on training employees on how to use the
technology as on procuring and installing it. Employees must understand why the control
mechanisms were selected and what their role is in the security process.
Companies where employees hold open the door for others to walk through may need to
review their level of security awareness. The first step in implementing a physical security
program is determining the level of need and the current level of awareness. To implement
a cost-effective security program, 1) analyze the problems, 2) design or procure controls,
3) implement those controls, 4) test and exercise those controls, and 5) monitor the
controls. Implement only controls needed to meet the current needs, but make sure that
additional control can be added later if required. Physical security is an organization's first
line of defense against theft, sabotage, and natural disasters.
Russell, D. and Gangemi, G.T. Computer Security Basics, Sebastopol, CA: O' Reilly &
Associates, Inc., 1991.
Jackson, Hruska, Parker, Computer Security Reference Book, Boca Raton, FL: CRC
Press, Inc., 1992.
Ashborn, J., ÒBaubles, Bangles and Biometrics,Ó Association for Biometrics (1995).
Davies, S. G., ÒTouching Big Brother: How biometric technology will fuse flesh and
machine,Ó Information Technology & People, Vol 7, No. 4 (1994).
Lawrence, S., et al., ÒFace Recognition: A hybrid neural network approach,Ó Technical
Report UMIACS-TR-96 and CS-TR-3608, Institute for Advanced Computer Studies
University of Maryland(1996).
Tom Peltier is the Corporate Information Protection Coordinator for an electric utiltiy in