Invisible Access Opening New Doors to Insecurity Marc Weber Tobias - Matt Fiddler - Tobias Bluzmanis ©2009 Security.org Agenda • Standards and Requirements • Electro-Mechanical Locks • Critical Infrastructure and Vulnerabilities • Real World Threats • Case Studies Standards • Why we need Standards • What They Measure • Limited Protocol - Few Tests • Exclude many “Real World Attacks” – Bumping – Mechanical Bypass – Knowledgeable and Special Attack Techniques - Not Contemplated Standard Security Criteria • Define Conventional vs. High Security • Threat Criteria – Forced Entry – Covert Entry – Key Security • All Standards based upon – Time, Tools and Training Forced Entry UL437 and BHMA 156.30 • Locks must be secure against Forced methods of Attack • Attack Resistance 5 Minutes • Excludes many methods of attack Covert Entry Protection • Minimum Security Criteria in UL437 and ANSI/BHMA 156.30 • Protects against Certain forms of Covert Entry • Assures Minimum resistance to opening – (10 - 15 minutes) – Picking and Decoding – Master Key Attacks – Bumping (Not Covered) Key Security • Organizational Protection – Duplication of Keys – Keys Ordered by Code • Legal Protection – Availability of Blanks • Does not address Technical Security of Keys • Standards = Limited Security Categories of Locks • Conventional Mechanical Locks • High Security Mechanical Locks • Electronic Credentials – Electro-Mechanical Locks – Electronic Locks – Wired, Wireless, Data on Card Critical Questions • What is SECURITY re: Locks? • Is it secure enough? • What does a High Security rating mean? • The concept of key control, key security and why it’s important • Can the lock be compromised and how difficult is it? • Real World Threats • Methods to Compromise Conventional Lock Functions • Restrict “WHO” can enter • Prevent or Delay Unauthorized Access – Low to Medium security – Not Certified – Covert Entry often is easy
Description: