Highlighting the Holes
by Modman (modman@optonline.net)
This article will highlight some of the holes in the two most typical physical security measures (security cameras and doors secured with key cards).
Many organizations will add these types of technology enhancements without amending their security protocols or worse yet using these tools as an excuse to cut back in personnel and doing away with commonsense procedures. I hope those responsible for security will be responsible and take heed.
First up, the ubiquitous key card.
Many organizations swear by this method of portal control to such a degree that they lock down almost every door from supply closets and bathrooms to the front door. The fact of the matter is they love the feeling of security it gives to everyone every time they walk through a door.
Most establishments are governed by fire codes that require that when a fire alarm is pulled all electronic controlled doors in the vicinity are released (in some states even detention centers are covered by this type of code). This is to allow the fire department access to fight the fire. During a drill everyone must leave the area and they are directed to a safe location leaving these unlocked doors unattended. Time for an evildoer to do evil things.
A best practice for security would be that when it is reasonably safe, a security agent should position himself near sensitive locations during a drill until the fire department can relieve him. Note that a well placed security camera can perform this function if someone is looking at the cameras. Most guards will be too preoccupied with the fire drill and the fire trucks (the most excitement they've had all week).
Obviously if you pilfer a card from someone with access to the areas you need access to, these locks become useless.
If you were to take the card from someone as they left for the day and then drop it by their desk when you were finished, they'd find it the next day and probability would never even report it. You wouldn't have to worry about your key card donor gaining access the next day as most employees will gladly hold the door open for their fellow staff member.
If you only needed access for a short period of time, you could take the card before they left for lunch. Then you can almost always be assured that the card donor will both have someone with them to let them in and that a report will not be filed.
The best practice for security is to be stationed at each egress and visually check each person at the beginning of each shift, lunch time, and at the end of the shift. This would highlight the missing cards. This must be followed up with an inquiry of the database as to where the missing key card was used and a report to alert the areas that were inappropriately accessed.
Now let's turn our attention to the almighty security cameras.
They are relied on way too much by your typical security department. They stick a camera anywhere they can fit one without the support staff necessary to monitor it. The general wisdom is that they are deterrents all by themselves.
Just the mere sight of them makes people behave. Well, that is the initial effect. People get freaked out at first but then they adjust. People seem to be able to get used to anything, even Big Brother. Just ask any security guard stuck in front of a monitor the things people do on camera. It's amazing.
If you need to get by a camera, first see if anyone is watching or if it is even real.
Start choking in front of one and see if anyone comes to help. Do this on different shifts and make note of the results. Do not push this as it will get you noticed in a bad way very quickly if they realize you were faking. Ask a friend to help, that is, if you have any. If the camera is real and is being monitored, then one has to be more creative. If you are with security, trust your instincts. Log your suspicions with this type of behavior if you feel it may be BS.
Even with the advent of network attached video cameras, most of them are still hard-wired. If you unplug a camera there will be many unpleasant questions to go around. Don't do this as most cameras are laid out to cover each other. Unplug one camera and the other has filmed you doing it. If you want to take out a camera's cable, find the distribution box. This box works like a network hub; many cameras are wired back to this box and then one cable goes back to the security office. In a small institution this will not work as they will just be hard wired back to the main post (SOL).
If you can locate the room that has the distribution box, many things can be done.
First off you can just unplug the camera there or switch one camera feed with a different one. The security staff will have a hard time locating it themselves especially off day shift. If you find the closet but cannot gain access, just look for an electrical outlet outside the closet nearby.
Most will be fed from the same circuit. Just short it out causing the distribution box to die. This works really well even if they are using a UPS (battery backup) because if the power goes out overnight they will usually wait until morning to fix it and the UPS will only give them about a half hour of power and then go dead.
If you have uninterrupted access to these distribution boxes you can even record a normal feed and play it back later so security has something to watch when the camera goes out.
First, slip in a coax splitter in line, then tape a normal feed. Then, using the same splitter, detach the camera and play back your recording. It is important to make sure you play back the same time frame.
For example, sunshine coming through a window at midnight raises questions even with the dimmest guards. Most time stamps come from the main system so your video will even have the right time superimposed on it.
Security should have the closets alarmed or at least have a camera on them to catch anyone messing with them. They must use a UPS and they should tie them back to the operations center so when they go out engineering will be alerted. The procedure should be that these distribution boxes are high priority and they cannot wait until the next day to fix them.
Hopefully this gives security professionals something to think about and to act on. If you're a bad guy and you try to use these tips for evil purposes, you will probably get caught.
Most institutions do not have all these holes left open but if they do, maybe they need some encouragement to plug them up. Buy them a copy of 2600 and highlight this article.
After all, they are protecting you as well and if they are doing a crappy job, they are putting you at risk!
If you have any comments email me. If you have a question I will try to get back to you within your lifetime or at least by the end of mine.