By A.P. Delchi
Delchi’s talk evolves around an imaginary assignment to design the physical security system of a high security facility with CCTV, and the methodology how to handle this assignment.
If you want to design such a system you need to follow the steps of:
- Assessment – What do we secure? What is the status? What are the risks?
- Assignment – Which area gets which security? Prioritize. What external requirement do you have?
- Arrangement – Find the most effective locations for you security devices. Consider security and ergonomics.
- Approval – get quotes from multiple vendors. Consider lifetimes and service plans and take expansions into account. E.g. Will you require biometric in the future.
- Action – Lets implement it. Build, train and test.
Next Delchi encourages us keep failure into mind. Physical security systems will go wrong, building the systems will go wrong as well.
Delchiās final section of the talk outlines the various problem security professions will encounter when dealing with various parties involved in the process. Management, vendors, people who know better, users and construction workers. With funny and concrete examples he shows what to expect and how to handle these groups.
By Shawn Merdinger
Building access control systems are getting more and more IP enabled, but the IP enabled portions of access control systems are often poorly controlled and don’t get much love from either the it or facilities system.
But the vendors are not always helping the S2 security box e.g. Is using both a web server and a mysql version with lots of security vulnerabilities in it. The amount of security problems Shawn pointed out in various products was truly shocking.
Show continued to show us the results of the exploitation on a demo box he tested which just allowed him to open doors and get to camera feeds.
There is a worrying perception in the physical industry that hackers will not go after these systems, but after financial data and trade secrets, but this is not correct, it is very interesting flr attacks to actually attack the physical security infrastructure. There are some perceptions that these device are deep in the network and not connected to the internet, but a simple Google hack showed that there are 350+ devices connected to the internet today.
Vendors has start to offer better security and this will only happen if customers start to demand better security.
Unfortunately, Matt Fiddler could not make it to the talk because of acute appendicitis. There three guys are from http://in.security.org. They presented the results of their attempts to break high security electromechanical locks. Unfortunately they are not able to disclose the details of how they attacked the locks in the USA, but more information will the disclosed at Hacking at Random in Vierhouten in the Netherlands from 13 to 16 August.
Read more…
