Smart Cards Smart cards are credit-card-sized IDs, badges, or security passes that have a magnetic strip, bar code, or integrated circuit chip embedded in them. They can contain information about the authorized bearer that can be used for identification andor authentication purposes. Some smart cards are even capable of processing information or can be used to store reasonable amounts of data in a memory chip. A smart card can be referred to by several phrases or terms: An identity token containing integrated circuits ICs A processor IC card An IC card with an ISO 7816 interface Smart cards are often viewed as a complete security solution, but they should not be consid- ered a complete solution. As with any single security mechanism, such a solution has weakness and vulnerabilities. Smart cards can be subjected to physical attacks, logical attacks, Trojan horse attacks, and social engineering attacks. Memory cards are machine-readable ID cards with a magnetic strip. Like a credit card, debit card, or ATM card, memory cards are capable of retaining a small amount of data but are unable to process data like a smart card. Memory cards often function as a type of two-factor control in that they usually require that the user have physical possession of the card Type 2 factor as well as know the PIN code for the card Type 1 factor. However, memory cards are easy to copy or duplicate and are considered insufficient for authentication purposes in a secure environment. Dumb cards are human-readable card IDs that usually have a photo and written information about the authorized bearer. Dumb cards are for use in environments in which automated con- trols are infeasible or unavailable but security guards are practical. Proximity Readers In addition to smart and dumb cards, proximity readers can be used to control physical access. A proximity reader can be a passive device, a field-powered device, or a transponder. The prox- imity device is worn or held by the authorized bearer. When they pass a proximity reader, the reader is able to determine who the bearer is and whether they have authorized access. A passive device reflects or otherwise alters the electromagnetic field generated by the reader. This alter- ation is detected by the reader. The passive device has no active electronics; it is just a small mag- net with specific properties like the antitheft devices commonly found on DVDs. A field- powered device has electronics that are activated when it enters the electromagnetic field gen- erated by the reader. Such devices actually generate electricity from the EM field to power them- selves like card readers that only require that the access card be waved within inches of the reader to unlock doors. A transponder device is self-powered and transmits a signal received by the reader. This can occur consistently or only at the press of a button like a toll road pass or a garage door opener. In addition to smartdumb cards and proximity readers, physical access can be managed with biometric access control devices. See Chapter 1, “Accountability and Access Control,” for a description of biometric devices. Access Abuses No matter what form of physical access control is used, a security guard or other monitoring system must be deployed to prevent abuse, masquerading, and piggybacking. Examples of abuses of physical access controls are propping open secured doors and bypassing locks or access controls. Masquerading is using someone else’s security ID to gain entry into a facility. Piggybacking is following someone through a secured gate or doorway without being identified or authorized personally. Audit trails and access logs are useful tools even for physical access control. They may need to be created manually by security guards. Or they can be generated automatically if sufficient automated access control mechanisms such as smart cards and certain proximity readers are in place. The time a subject requests entry, the result of the authentication process, and the length of time the secured gate remains open are important elements to include in audit trails and access logs. In addition to the electronic or paper trail, you should consider monitoring entry points with CCTV. CCTV enables you to compare the audit trails and access logs with a visually recorded history of the events. Such information is critical for reconstructing the events of an intrusion, breach, or attack. Intrusion Detection Systems Intrusion detection systems are systems—automated or manual—that are designed to detect the attempted intrusion, breach, or attack of an authorized individual; the use of an unauthorized entry point; or the committal of the event at an unauthorized or abnormal time. Intrusion detec- tion systems used to monitor physical activity may include security guards, automated access con- trols, and motion detectors, as well as other specialty monitoring techniques. Physical intrusion detection systems, also called burglar alarms, detect unauthorized activities and notify the author- ities internal security or external law enforcement. Physical intrusion detection systems can mon- itor for vibrations, movement, temperature changes, sound, changes in electromagnetic fields, and much more. The most common type of system uses a simple circuit a.k.a. dry contact switches comprising foil tape in entrance points to detect when a door or window has been opened. An intrusion detection mechanism is useful only if it is connected to an intrusion alarm. An intrusion alarm notifies authorities about a breach of physical security. There are four types of alarms: Local alarm system An alarm sounds locally and can be heard up to 400 feet away. Central station system The alarm is silent locally, but offsite monitoring agents are notified so they can respond to the security breach. Most residential security systems are of this type. Most central station systems are well-known or national security companies, such as Brinks and ADT. Proprietary system This is the same thing as a central station system; however, the host orga- nization has its own onsite security staff waiting to respond to security breaches. Auxiliary station When the security perimeter is breached, emergency services are notified to respond to the incident and arrive at the location. This could include fire, police, and medical services.