Domain 10: Physical Security

www.giac.org

•  
• Overview
  • Mission Statement
  • FAQ
  • Code of Ethics
  • GIAC Ethics Council
  • Code of Ethics - Violation Submission
  • EEOC Policy
  • Proctor Policy
  • Program Overview (PDF)
  • Contact
• Why GIAC
  Certification Matters
• Certifications
  • Roadmap
  • Steps To
  • Security Admin
    • GAWN
    • GCFA
    • GCFW
    • GCIA
    • GCIH
    • GCUX
    • GCWN
    • GISF
    • GREM
    • GSEC
    • GCED
    • GSOC
    • GPEN
    • GWAPT
  • Management
    • GISP
    • GSLC
    • GCPM
  • Audit
    • G7799
    • GSNA
  • Legal
    • GLEG
  • Software Security
    • GSSP-NET
    • GSSP-C
    • GSSP-JAVA
  • GSE
  • GSE-Malware
  • GSE-Compliance
  • DoD 8570
  • Retired Certifications
• Certified
  Professionals
  • Listings
    • G7799
    • GAWN
    • GCFA
    • GCFW
    • GCIA
    • GCIH
    • GCUX
    • GCWN
    • GISF
    • GISP
    • GREM
    • GSEC
    • GCED
    • GSLC
    • GSSP-NET
    • GSNA
    • GSOC
    • GPEN
    • GCPM
    • GLEG
    • GSSP-C
    • GSSP-JAVA
    • GWAPT
    • Retired Certifications
  • Profiles From The
    Front Lines
  • Does Certification Really Matter?
  • GIAC Hero
  • Business Card Logos
• GIAC Gold
• GIAC Expert Level
  • GSE
  • GSE-Malware
  • GSE-Compliance
• Skills Test and Report (STAR)
• GIAC Help and Information – NEW
• Challenge Info
• Registration Info
  • GIAC Pricing
  • Challenge Certification
• Exams
  • Practice Tests
  • Deadlines
  • Exam Technical Issues
• Proctor Program – NEW
  • Program Details
  • FAQ
  • KRYTERION Sites
  • Proctor Policy
  • Proctor Forms
  • Computer Requirements
• Retakes & Extensions
• Recertification
• Exam Feedback Procedure
• Grievance Procedure
• Resources
  • Overview
  • Interview with
    Dr. Cole
  • Student Comments
  • D1: Access
  • D2: Network
  • D3: Management
  • D4: Application
  • D5: Cryptography
  • D6: Architecture
  • D7: Operations
  • D8: Planning
  • D9: Law
  • D10: Physical
• ADA Accomodation Policy
• Job Listings
• SANS Portal
• SANS Home
• SANS Software Security Institute
• SANS Reading Room
• Direct Links G7799 GSAE GPCI GSNA GAWN-C GCDS GLFR GLIT GBLC GLEG GCIP GHSC GISP GFSP GEWF GEIT GLDR GCIM GCPM GSLC GCSC GSPA GOEC GISO GISF SSP-CNSA GGSC-0400 SSP-DRAP SSP-MPA GGSC-0200 GSEC GGSC-0100 GPEN GSOC GWAS GWAPT SSP-GHD GCWN GCFA GCED GHTQ GCIA GCIH GCFW GIPS GCUX GAWN GNET GREM GSIP GSSP-C GSSP-JAVA GSSP-NET
•  

• Overview
• Interview with Dr. Cole
• Student Comments
• Domain 1: Access
• Domain 2: Network
• Domain 3: Management
• Domain 4: Application
• Domain 5: Cryptography
• Domain 6: Architecture
• Domain 7: Operations
• Domain 8: Planning
• Domain 9: Law
• Domain 10: Physical

Locks

Category: Physical Security
Authors: Terry Martin and Alexandro Bakhto
Date Added: February 12th, 2007

---

Introduction

With methods of defeat imaginatively popularized by the entertainment industry, locks and locksmithing are some of the most mysterious, interesting, and important segments of physical security.

The terms lock picking, combination lock manipulation, and master keys evoke imagery of superspies artfully bypassing security mechanisms to reach their objective within the time-limited context of the viewer's attention span. In reality, any commercial or institutional class hardware is, by design, significantly resistant to sophisticated compromise.

That being stated, it is important for information security professionals to have an understanding of the types of locks, keys, and safes so that they can be deployed in a risk appropriate manner that anticipates their limitations and methods of attack.

Risk Assessment

To make a risk appropriate selection for locking hardware, the risk assessment must anticipate the type of a likely security incident.

A security incident follows three essential patterns:

• Targeted
  Characterized by low-incident of occurrence and high to catastrophic damages. Loss results from compromise of security through sophisticated attack methods, including social engineering and compromise of trusted personnel. Security systems must be tamper resistant, fault tolerant, and resist skilled and determined attacks potentially facilitated by the deliberate subversion of trusted personnel. Opportunistic risks might be present.
• Opportunistic
  Characterized by medium- to high-incident of occurrence and low to catastrophic damages. Losses result from unskilled ad hoc access facilitated by inadequate intrusion detection and deterrent systems, and lack of controls over movement of people and assets. Trusted personnel might be subverted by temptation.
• Accidental
  Characterized by low incident of occurrence and low to catastrophic damages. Losses result from inadequate planning and risk assessment, inadequate personnel training, and awareness and lack of automation in security.

Terminology

It has been said that there are as many different names for lock parts and concepts as there are locksmiths, so it is useful to adopt a lexicon that has assumed some standard of official adoption, specifically, that used by the Architectural Hardware Consultant (AHC). Knowledge of the terminology also promotes insight into the underlying concepts:

• Change Key (CK): A key that generally operates only one lock in the master key system.
• Master Key (MK): A key that operates all the locks in a given group, with each individual lock having its own Change Key.
• Grand Master Key (GMK): A key that operates all the locks in two or more distinct groups, with each group having its own Master Key.
• Great Grand Master Key (GGMK): A key that operates all the locks in a series of GMK groups.
• Key Interchange: An undesirable condition in which a key operates locks for which it was not explicitly intended.
• Cross Keying: A deliberate design by which two or more different change keys can operate a lock within a given master key system. This is a controlled implementation of key interchange.
• Construction Keying: A design by which a series of locks operate by a temporary master key, and which is canceled out by the first use of the change key.
• Key Changes: The total number of useable change keys available within a given system, or under a given master key.
• Key Section: The sectional profile of the blade of a key, viewed by sighting along the bow toward the tip.
• Sectional Master Keying: Also known as Multiplex Master keying, it is a method of increasing the scope of master key systems by repeating change key bittings across different key sections. The section of the master key is designed to pass the broaching of the different keyways that restrict different change key sections.
• Key Set: The term used to denote individual keys, for example, Key Set AA1.
• Keyed Alike (KA): Two or more cylinders that are pinned to the same bitting and operated by the same change key. This is not the same as master keyed.
• Keyed Different (KD): The term for cylinders that are pinned to different change keys. They are master keyed if within a system.
• Single Keyed Different (SKD): A cylinder that is keyed only to its assigned change key and is not operated by any level of master key.
• Cross Keying (X): A prefix used in hardware schedules to signify keyed alike sets of cylinders.
• Hardware Schedule: A list, typically a matrix, that comprehensively describes the security policy applied to security hardware within a facility. It includes manufacturer's catalogue descriptors and the location of every lock.
• Keying Schedule: A list, also typically a matrix, that comprehensively associates the Hardware Schedule to keys and may associate keys to individuals. The keying schedule is a high security document used to isolate secure information from the hardware schedule. It contains the bitting array for the master key system and can be used to associate keys to individuals.

Components of a Basic Lock

Although there are a multitude of lock applications, with many variations in the construction of locks including electro-mechanical, magnetic, and electro-magnetic devices, the basic lock consists of the following:

• A mechanism with a bolt or latch to secure the door and its corresponding strike plate on the frame
• A keyed cylinder and combination mechanism to engage or disengage the bolt

As with logical security, the security level of locks is determined by resistance to brute force and sophisticated attacks. Generally, the heavier the mechanism and more resistant the cylinder or combination mechanism is to picking, drilling, or manipulation, the higher the security level attributed to the lock.

Deterrence to advanced methods of defeat in lock cylinder design is the determining element of the security level attributed to it. Warding or broaching of the keyway presents an obstruction to the insertion of tools or keys not intended to operate the mechanism, and hardened inserts deter drilling attacks. In addition to the configuration of the keyway, the arrangement and design of the tumblers determine the level of difficulty presented to a sophisticated attack with advanced techniques.

Additionally, the uniqueness of the system determines the incidence of key interchange between systems or the unintentional operation of a lock by a key not explicitly intended for it.

Security levels associated with both locks and keys are generally grouped into categories of low-, medium-, and high-security. The same three categories can be applied to the facility to create security zones, simplifying the deployment of locks.

Keys and Master Keying

There as many variations of keys as there are locks, and while sharing the same categories of low-, medium-, and high-security, the security level associated with keys is determined by the degree of difficulty encountered in unauthorized reproduction, or the ability to manage and control their distribution.

Master keying is the mathematical architecture for key management, and it is ultimately a necessary system of convenience, not security.

Master key systems follow a hierarchical structure and clearly defined terminology, with the lowest level being the Change Key.

A typical master key system is organized as shown in the following chart:

Note the system levels created above MK are simply the joining of two or more lower level systems.

The keying schedule may be organized as illustrated:

The number associated with AA1 is the actual bitting of the change key or "key code" and translates into the cuts on the key itself. It can be used to make a working key and can be found stamped into the head of the key as shown here.

As with other information assets, protection of this type of information should be addressed at the information security policy level, and the information security professional should assume ownership to ensure that the facilities group has an adequate framework and understanding of issues associated with it.

Architectural Hardware

Locks are grouped within a general category called Architectural Hardware, which includes door closers and checks, hinges, ventilation louvers, door viewers (peepholes), blocker plates, and miscellaneous other equipment that can be found attached to doors, frames, and so on within a facility.

As with the rest of the structure, all the components play a role in security by creating potential penetration points by which the lock hardware can be bypassed or cause a failure in its intended function.

A self-latching lock is of little value if the door closer fails to properly close the door, and a ventilation grill may provide an easy reach or crawl-through point. Exposed hinge pins may provide an easy way to remove the door, latches, or locking bolts not protected by blocker plates that may be exposed to prying attacks, and an external door with no door viewer may result in personnel unintentionally unlocking the door to an attacker.

The First Line of Defense

Deployed at the perimeter as the first line of defense, locks represent the primary mechanical objects within a physical security framework that lay the foundation for all other physical security, including safety.

Carefully crafted safety measures can fail with tragic consequences if the locks fail to permit egress or access in an emergency.

Controlling both entry and egress, the unobtrusive lock is inextricably linked to the specification by which the entire architectural envelope is designed. It serves little purpose to create a monolithic wall with massive entry doors if the lock creates a weak deterrent, and vice versa.

A suspended ceiling might create an over-the-wall entry point, or conventional gyproc sheeting might present little impediment to simply kicking a hole through the wall to gain access.

The lock is predicated on the assumption that each plane of the perimeter (over/under, through and around), presents a barrier equivalent to that presented by the lock itself.

Locks as a Deterrent

The word deterrent is the operative expression. A full comprehension of the meaning of the word includes acknowledgment that locks are intended to slow down an attack, not necessarily prevent it. The most sophisticated electronic security systems are effectively useless if an attacker can execute a "smash-and-grab" and be long gone before intervention can occur.

The word deterrent implies a disincentive, which is supported by the appearance of the lock. The designers of bank vaults have long understood the preventative value of vault doors that create the appearance of impenetrability to a potential attacker, and at least as importantly, by being placed in plain sight, reinforce the public confidence placed in the institution as a secure repository for valuables.

The lowly lock embodies the principles that drive information security, and public confidence in the security of information holds the same value for the enterprise as does the public confidence in an institution entrusted with physical valuables.

• A cheap lock is an invitation to attack.

The Outer Edge

With a nearly endless array of hardware manufacturers, each with multiple lines of lock hardware categorized by security level, function, and type, it is useful to start a general discussion of lock hardware at the outer edge of the facility, which is typically a low-security zone.

At the outmost edge are fences and gates, which require weatherproof hardware, typically padlocks.

The locking element of a padlock is the shackle, which can be compromised by breaking and cutting, or simply forcing it open. A good padlock has a hardened shackle no less than 3/8-inch thick with heel-and-toe locking engagement and may have an integral shackle guard or shroud to limit access with tools, such as bolt cutters.

The padlock specification should anticipate the need for the lock to be keyed into the facility keying system and, accordingly, requires the appropriate type of cylinder.

You can also find surveillance cameras deployed at the outer edge of a facility, which raises the issue of enclosure locks. As with any secure cabinet within the facility, the camera enclosure should not only be secured with a utility lock, but should also be solidly attached to the structure and secured with tamper-resistant fasteners. Video cameras are expensive and represent a visible target for theft.

In addition, the new generation of IP-based cameras present direct InfoSec risks, from the network credentials of the appliance to the privacy of individuals within the field of view of the camera. Cameras should be effectively locked to the structure and secure from access.

Utility locks are typically inexpensive wafer tumbler type with low security. The information security professional should recognize them to ensure they are not inappropriately used on cabinets and enclosures representing a higher-risk level.

Keys associated with common utility locks are typically easily duplicated, and the locks are easily defeated by force, picking, or through operation by keys not intended for them.

Whereas a simple padlock on a gate might seem like a trivial consideration in a risk assessment, it does carry an important consideration. As with all other essential security concepts, the model of subverting equipment connected to the network to mount an attack has its counterpart in the traditional physical security world.

Locks contain information that can be used to mount an attack.

Master keying (as differentiated from Master Lock, which is not a lock, but a brand name) is a traditional arrangement devised to create a manageable key system within a facility. The convenience does, however, come at a cost to security. A padlock, or any other lock keyed into the master keying system, can be removed and reverse engineered to create a master key. A padlock is particularly at risk because it is on the perimeter of the security envelope and might be left hanging on the gate during occupied hours. Padlocks should not be master keyed and should be secured to the gate with a chain.

A padlock represents all three risk types:

• Targeted risk as in the preceding scenario.
• Opportunistic risk: A vandal can obstruct access by gluing the lock.
• Accidental risk: The keys for the padlock might have been left hanging in it, or the padlock might have been left unlocked.

Entering the Facility

As you leave the grounds and enter the facility, you can encounter a number of types of doors and openings, each requiring a specific type of lock and securing a higher level zone of security.

Entry doors can be categorized as public or private access. Other entry types can be loading bays, parking garages, roof hatches and elevator shafts, windows, communications or service entrances and tunnels, and exit-only doors.

Within the Facility

Within the facility, you can find locks deployed for the specific protection of information assets. Data closets, cable access panels, server rooms, cabinets and equipment enclosures, laptop security cables, to name a few, are locations where locks are found specifically protecting information assets.

Security Zones

Whether at the outer edge or within the facility, the adoption of security zones assists in quickly identifying the appropriate security level associated with the locking hardware. By identifying the perimeter of the zone, and the risk level of the asset within the zone, everything from enclosures to entire facilities can be summarized and categorized, and the corresponding lock hardware can be specified.

Facilities personnel are relieved of the problem of identifying information security issues and can simply designate low-, medium-, or high-security locking hardware and implement appropriate key control measures in a familiar context of understanding.

Traditional Types of Locks

There are so many elements to a lock specification that industry has generally adopted legend keyed numbering to describe a particular lock, and product catalogues generally lay out the options in a matrix format.

For example:

The complexity of locks can generally be reduced to door locks and equipment locks, and the complexity of door locks can be further reduced into three categories:

• Rim devices, which are used (for example) on aluminium-framed glass doors
• Cylindrical lock sets, which are mounted in a hole bored through the door and are seen on most residential and light commercial doors
• Mortise locks, which are mounted in a cavity cut into the edge of the door and which tend to be seen within institutional environments

Within these categories, locks are generally characterized by grade, function, cylinder type, and bolt or latching mechanism.

The grade and bolt or latching mechanism of the lock determines the quality and robustness of its overall construction. A lock exposed at the outer perimeter should be more resistant to a brute force attack, because doors within the perimeter are generally better supervised. Latching type mechanisms automatically ensure the door locks when it closes, however, latching mechanisms have a low resistance to being pried open. Dead bolt mechanisms typically must be locked manually, but they are the standard to be installed in conjunction with the latching device, with a much higher resistance to brute force attack.

Blocker plates are typically installed to protect the latch or bolt and strike on both devices.

Function is determined by the application, and there are many variations. Common functions are exit-only, entry/exit, passage, panic set and so forth

Cylinder types vary, but any door requiring a keyed lock within a facility is worthy of at least the medium-security designation, and the pin tumbler cylinder is the de facto standard for medium-security applications.

A variation of the traditional door lock is the combination lock, which uses a mechanical combination arrangement to control access. These devices are typically fitted with a conventional keyed cylinder to override the combination in an emergency. They are not considered to be a high-security lock.

Equipment Locks

Equipment locks are typically considered to be in the low-security category, however, some high-security lock manufacturers provide equipment locks compatible with high-security cylinders, which are necessary for key control and inclusion in the facility master key system.

High-Security Locks

There are a number of high-security locking arrangements, each with their own attributes, cost being not the least of them. Electronic controls and electromechanical or electromagnetic locking mechanisms have become the standard in high-security locks, and they are frequently directly controlled by access control systems, or form a stand-alone access control system providing audit trail capability.

A high-security lock has a robust body and latch or bolt that is significantly resistant to brute force attacks. Electromagnetic locks have become commonplace, eliminating the problem of entry gained by brute force attacks on mechanisms. They also protect against the physical equivalent of a DoS attack, which occurs when a vandal glues or otherwise damages a lock so that authorized entry is prevented.

The high-security cylinder is specifically designed to be significantly resistant to all forms of sophisticated attack, and the keys are strictly controlled, in most cases requiring specialized equipment and authorized dealers to duplicate.

Advanced access control concepts have been adopted by lock manufacturers, including smart card technology, biometrics, and multifactor authentication.

An important consideration with such locks is that they are typically equipped with a key override, and the keyed system should represent a security level consistent with that provided by the electronic control.

In addition, if a key is lost, particularly a master key, it takes time and usually represents a significant expense to rekey the locks and redistribute new keys.

A high-security locking system deployed across a geographically isolated enterprise can encounter support issues in small towns where resources are limited. A lock design called Interchangeable core (IC core) is offered by some manufacturers to enable unskilled personnel to make a rekey of the facility.

The system utilizes a special key called a control key to disengage the cylinder from the body of the mechanism, allowing a replacement to be quickly installed.

Safes

In addition to controlling access with locks and electronic measures, safes can be installed for either fire protection, theft protection, or both. A conventional fire safe suitable for paper document protection is not suitable for the protection of electronic media, which require special safes that control the internal environment within the tolerance of the media.

Neither media safes nor general fire safes are rated for burglary resistance and are generally constructed of thin sheet metal over microfoamed concrete or similar material. If the electronic asset carries a high-theft risk, a burglary-rated container might be fastened inside a fire or media safe to add the burglary rating.

In either case, the protection offered by the safe is limited to the amount of resistance against simply being carried off, or the amount of time available and degree of difficulty for an attacker to penetrate the safe.

Safes can be equipped with mechanical combination locks, electronic combination locks, or keyed locks. Keyed locks are frequently found employed as a "day" measure so that the combination does not need to be entered for frequent access during occupied periods.

Fire-rated filing cabinets are also a traditional means of document protection.

Locks and Forensics

No discussion of high-security locks is complete without touching on lock picking. Lock picking is one of those concepts like safe manipulation, romanticized by the entertainment industry, along with forensics, beyond all factual recognition.

However, conceptually representing all forms of surreptitious entry, lock picking does have a place for serious consideration when the asset represents a targeted risk. Even the most inexpensive implementation of locks in the high-security category is effectively impervious to conventional lock picking: however, security incidents can and do occur.

The implementation of a lock represents the next step in the security process, following the risk assessment and policy development. It is anticipatory of a security incident, thus anticipatory of litigation, and has forensic implications.

The second-to-last step of the security process is investigation after an incident, following which the recommendation for policy revision is made. The line of reasoning that forms the central assumption in an investigation follows;

When a loss is experienced under the circumstance that no forcible entry can be determined in the investigation, the most probable explanation is that a key was used to gain entry. In a high-security system, the most likely key to have been used is one that is intended by design to operate the lock, and so the perpetrator can reasonably be determined to be a person in possession of an actual system key.

With good key control, accountability is in place, and the direction of the investigation narrows the focus to an individual. If the matter is serious and that person "lawyers up," the central assumption that predicates the suspicion comes under challenge, and the first thing thrown out in defense will be that the lock was picked or otherwise operated by means other than with a system key.

Informed counsel will suggest the key was duplicated or otherwise reproduced, and it is wise for the information security professional to have an understanding sufficient to derail such arguments.

In fact, the best practice when presenting suspicion to an individual is to have an overwhelmingly compelling case that anticipates all the likely arguments. This strategy may well convince the person to "fess up" and save everyone a lot of time and expense, not to mention avoiding the publicity of a potential court proceeding.

What is not necessarily obvious in the preceding incident is that it is the keys that are the primary consideration. Policy should include direction to the investigating personnel to immediately collect the keys and establish attestations from the personnel holding them as to the whereabouts of the keys at the time of the incident.

This has the effect of binding the guilty party to control of the key, and by collecting the key according to proper procedure, it can be secured in a forensically sound manner that will not undermine an investigation.

Conclusion

The complexity of locks and keys, and their primarily mechanical nature, need not deter the information security professional from gaining an understanding. Indeed, as detailed in the section on forensics, locks are necessarily an indispensable element of information security.

By gaining an understanding of the mysterious domain of the locksmith, the security professional can better enlist their expertise. As with any resource, the locksmith is only as effective as the guidance used to direct implementation, and an understanding of the technology of locks and keys can assist the information security professional in developing an effective security program that most effectively incorporates the deployment of physical security hardware.

As the information security professional gains insight into the elements of physical security, it will become clear that the essential concepts of information security have their roots in the legacy and history of the lock.

Additional Resources

http://www.locksmithledger.com/
http://www.thenationallocksmith.com

---

• Overview
• Interview with Dr. Cole
• Student Comments
• Domain 1: Access
• Domain 2: Network
• Domain 3: Management
• Domain 4: Application
• Domain 5: Cryptography
• Domain 6: Architecture
• Domain 7: Operations
• Domain 8: Planning
• Domain 9: Law
• Domain 10: Physical

© 2000-2009 The SANS Institute

SANS Web Privacy Policy: www.giac.org/privacy.php - Web Contact: webmaster@giac.org

Phone: 301-654-7267 | Mon-Fri 9am-8pm EST/EDT

(ISC)² and CISSP are registered marks of the International Information Systems Security Certification Consortium, Inc.