The BBC recently reported on a story concerning potential vulnerabilities in some older locking systems used by international hotel chains.
Naturally, this is a headline-grabbing story meant to scare the travelling public, but it does provide a timely reminder that security practices do need to be periodically and proactively examined and put to the test. This is first and foremost to ensure the continued safety and security of people and assets, but also to safeguard against the reputational harm that can result from the publicity of such an exposure.
Keeping Ahead of Dangers
The prime takeaway from this story should be that it is vital to ensure currently available and in-use security systems are always up-to-date with the latest software patches. It is also a reminder to ensure that products under development and not yet released to market, are designed to withstand - as much as possible - any potential attack from the cyber sphere. It also highlights how the convergence of physical and IT security systems is now commonplace.
Most integrated physical security systems rely upon software to operate. This makes them flexible to install and use, as well as making upgrades or changes easier too. Physical security manufacturers such as TDSi regularly provide updates for software to enhance the functionality, but also to help operators stay one step ahead of criminals.
Much in the same way as IT professionals will warn you to update software on your smart device or computer systems as soon as they are available, we would recommend exactly the same for physical security systems.
Unfortunately, where there is security there are always criminals trying to bypass it for their own nefarious aims, so its essential you stay one step ahead at all times – otherwise, you are just making it easier for them!
We have spoken about cloned cards in great depth in an earlier two-part TDSi blog (please see parts 1 & 2) and suffice to say, older proximity cards are a greater risk as the criminal black-market produces cheap and readily available devices to produce these.
Luckily, card technology has progressed significantly and savvy security operators use the latest systems (such as MIFARE Plus and DESfire, with 128-bit encryption technology) to ensure criminals have a very difficult (if not impossible) task of trying to compromise these.
Another potential security concern that was raised in the BBC story is the use, storage and disposal of cards (at their end of life). Cards can contain a lot of secure data (even when it may seem they have been wiped or re-written), so it is vital that everyone understands their value and the importance of keeping them safe.
With staff this means enforcing strict policies on where security credentials are stored, perhaps being handed in to the security desk when a shift finishes, or when people go on holiday (and certainly when an employee leaves the organisation!)
It is also vital that any loss, theft or suspicions of data being copied or stolen are reported to the security team right away, so action can be taken (in the EU this has greater resonance from 25th May when GDPR comes in to force). The time between a security breach and action being taken is crucial in combatting crime and demonstrating compliance.
Similarly, with hotel room key cards the security credentials need to be changed with each guest and its vital that if a card is reported lost or stolen, that all the credentials on it (or historically used on it) are immediately disavowed in case they have fallen into the wrong hands.
Another approach to circumnavigate this whole issue is to use biometrics authorisation systems instead. By using an attribute of the human body (such as fingerprints or iris scan) there is no danger of losing a security card or token! It is also all-but impossible for criminals to replicate this data to gain entry.
This is certainly a highly convenient system for employees to use, but why not visitors or hotel guests too?! You can easily take a fingerprint reading when guests check-in and automatically relinquish access when their stay has finished.
You can learn more about the benefits of biometrics in this recent TDSi blog.
Outmanoeuvring Security Risks
As a security operator, it is vital that your systems and procedures keep you one step ahead of criminals who will look to exploit any weakness for their own benefits.
Eventually, some security systems may be compromised by advances in hacking, but a responsible security operator will recognise this and put measures in place to stop it becoming an issue.
Whilst security software could be seen as a weak link, in fact, it is the component which (when used properly) is able to maintain effective and flexible protection against evolving threats.
Manufacturers and software developers are constantly looking to improve and enhance the performance of their products through software patches/upgrades, to deal with the next generation of potential threats.
Security ‘common sense’ is also vital in maintaining protection, so stringent policies are a very important part of ensuring any potential weaknesses are mitigated against.
Whilst the testing of security systems such as the one in the BBC story can be alarming, they are actually an excellent reminder to all operators that vigilance and effective planning should never be overlooked.