Thursday, October 15, 2020

Contactless Access Credentials & Egress

Contactless Access Credentials & Egress 

THE business landscape changing so dramatically over the past few months — possibly irrevocably — the task for many in security, including for consultants, integrators, dealers and manufacturers. As businesses and organizations begin to reopen, many are rethinking the way they budget for security, including access control, video surveillance and intrusion Alarm.

It’s amazing that a microscopic virus from China could virtually bring the world to a standstill. The 2020 global pandemic has reshaped the way people work, learn and play on every conceivable level. In addition to the devastating impact on global health and safety, COVID-19 has infected the health of the global economy.

The growing call to return to work will surely accelerate many of the physical (not social) distancing, sterilization and occupancy issues that we are currently facing. Hopefully, modern medicine will rise to the challenge sooner than later with a COVID-19 vaccine, but this may take some time even with accelerated testing and approvals.

Commonly touched items that can cause the spread of coronavirus (and other infectious disease) can include things like elevator buttons, ATM and checkout keypads, door knobs and handles, keyboards and mice, and door/entry access control panels — just to name a few. When you think about all of the “touchable” items that you interact with each day it becomes a daunting task to stay away from them and feel safe, clean and virus-free. Well, it's no surprise that right now, businesses are feeling the need to provide solutions and upgrade their safety and security as the workforce begins to come back to the office or plan for that to happen soon.

Contactless credentials are the most common component used in an access control system and while many look alike externally, important differences exist. “Contactless credentials and touchless access control can help reduce the number of surfaces that people touch on campus and can help reduce contact transmission” said Arindam Bhadra founder SSA Integrate.

Credentials Overview

While other credential options exist, the most common choice is RFID 'contactless' types. Nearly 90% of systems use contactless cards or fobs built as unpowered devices that are excited and read when brought close to a reader unit. This 'wireless power' process is called resonant energy transfer.

In Proximity Reader technology the reader itself emits a field collected by the card, eventually reaching enough of a charge that temporarily powers a wireless data transfer between the two. The image below details typical internal components of the type, where the wire antenna collects energy, the capacitor stores it, and when full discharges ICC chip (credential) data back through the antenna to the reader:

In general, all contactless credentials work this way but the exact parameters like operating frequency, size of credential data, encryption, and format of the data greatly vary in the field. In the sections that follow, we examine these parameters in depth.

Contactless Credentials Dominated by Giants

One of the biggest differences in contactless credentials is the format of the data it contains, typically determined by the manufacturer. Upwards of three-quarters of contactless credentials use formats developed or licensed by HID Global and NXP Semiconductor.

HID Overview

Since the market began migrating away from 'magstripe' credentials in the early 1990's, HID Global gained marketshare with its 125 kHz "Prox" offerings. Now part of ASSA ABLOY, HID has become the most common security market credential provider, and OEM of products for access brands including Lenel, Honeywell, and Siemens. The company's best-known formats include:

·     "Proximity": an older 125 kHz format, but still regularly used and specified even in new systems

·      iClass: an HID Global specific 13.56 MHz 'smartcard'

HID is the most common choice for credentials in the US. Because of commanding market share, HID is able to license the use of its credential formats to a variety of credential and reader manufacturers. Even when marketing general 'ISO 14443 compliant' offerings, HID strictly follows "Part B" standards (vs Part "A" - described in more detail later).

NXP Overview

Formerly Phillips Semiconductor, Europe-based NXP offers a number of 'contactless' credential components used in a number of markets - security, finance, and industrial. With widespread adoption of ISO standards in credential specifications, NXP offers a catalog of types built to spec, including:

·    MIFARE PROX: NXP's 125 kHz format built on early drafts of ISO standards, but not as widely adopted as HID's "Proximity" lines

·  MIFARE/DESFire: an ISO Standards-based NXP 'smartcard' format, also operating on 13.56 MHz the 'DESFire' moniker was introduced in the early 2000s to distinguish the format from 'MIFARE Classic' credentials. DESFire credentials feature stronger encryption that required higher performing chips. The 'Classic' format fell under scrutiny for being vulnerable to snoop attacks, and DESFire countered this threat. Because these improvements were made only to credentials, and existing MIFARE readers could still be used, the new format became known as 'MIFARE/DESFire'.

Unlike HID, NXP's credential formats are 'license-free' and the according standards are available for production use for no cost. NXP manufacturers all ISO 14443 product to "Part A" standards. NXP's market share is largest outside the US, mostly attributed to the early (starting in ~1990's) adoption of HID Global formats inside the US, but the brand's formats are often the primary ones used in Europe and Asia for physical access control.

US vs the World

Because of NXP Semiconductor’s strength in EMEA and the lack of licensing, MIFARE, DESFire, and the associated derivatives are popular outside the US.

However, HID Global's strongest markets are in the Americas, especially in the US. Despite the additional cost of licensing compliant credentials and readers, the company also produces products that use the unlicensed NXP formats and has equal or greater operability as a result.

125 kHz vs 13.56 MHz

The credential's RF frequency factors a key role in its performance. Because readers can only scan credentials operating at specific matching frequencies, this attribute is the first to consider. If frequency and format do not match, credentials are simply not read. The chart below shows the frequency of popular formats:

Perhaps the biggest difference between 125 kHz and 13.56 MHz frequencies is credential security. 125 kHz formats do not support encryption and are easily snooped or spoofed. However, 13.56 MHz formats are encrypted (usually 128 bit AES or greater) and credential data can only be read by a device that is specifically given the key to do so. 

Deciphering Credential Types

One of the most challenging jobs for integrators and end users alike is simply identifying which credential a system is using. The market is crowded with hundreds of options with no guarantees of compatibility for items that all appear to be a blank white card. The image below details four different credential types with dramatically different performance and security characteristics, yet they all look the same to the untrained eye:

For contactless types, you must know three attributes that are not typically clearly printed or overtly labeled on the credential:

·     Format Name: This designates how and how much data the credential transmits, usually defined by an ISO standard for Wiegand formats. For example H10301 is the typical 26 bit format, H10304 is HID's Wiegand 37 bit, and so on. The best way to confirm the format used by a card is to locate a box label of existing cards (See image below 'Card Format Details') to interpret the raw hexadecimal output as a specific format. If card boxes are not available, researching the credential type used by checking the format used in the Access Control Management Software application, typically in the cardholder and reader configuration settings.

·       Facility Code: This attribute is NOT printed on the card in most cases. This piece of information is also typically found on box labels but can be decoded using the same online calculators for format name. In certain cases, access systems must be configured to accept specific facility codes and some low-end systems may limit acceptable codes to one specific number. Without knowing this code, credentials are not sure to work.

·       Card ID/Serial Number (CSN/UID): In many cases, the ID number is embossed or printed on the card. This number is the 'unique ID' that ties a user to a specific badge. While concurrent numbers are not an issue, redundant numbers are, and the same Card ID and Facility Coded credential cannot be issued twice in the same system. The image below shows.

Interestingly, the Sales Order/Batch Number information printed on the card is often not used by the access system at all and is only printed to assist in researching the origin of the card as shipped to a specific distributor, end user, or dealer.

In some cases, a card vendor or distributor will 'read' an unknown card for a fee, but turn around times may take several business days.

Often, the box for cards currently in production is often the quickest, easiest way to gather all three pieces of this information, if not a reordering part number, as shown below:

The ISO/IEC 14443 Division

Very little separates HID's iClass from NXP's MIFARE offerings, and if not for ambiguous interpretation of an ISO standard, they would 'look' the same to most readers. However, because early versions of the standard left room for differentiation, HID and NXP designed their 'compliant' standards with a different encryption structure.

The end result is both versions of credential claim 'ISO 14443 Compliance', but are not entirely interchangeable. To reconcile this difference, ISO revised 14443 to include parts 'A and/or B' to segregate the two offerings. The default, basic serial number of cards is readable in both A & B parts, but any encoded data on the card is unreadable between the two because the original standard left room for implementation ambiguity.

In general, because there is no licensing cost in using 'Part A' standards, many low-cost, non-US target market, and new reader products start here. However, readers marketed specifically in the US or from vendors with a broader global market license use 'Part B' compliance common to HID.

For example, this TSDi reader supports 14443-A, but not 14443-B, meaning in practical terms in does not support HID's 13.56 MHz iClass formats, but does support NXP's 13.56 MHz MIFARE/DESFire formats:

In contrast, HID iClass readers support both 'A' and 'B' along with the non-ISO specific 'CSN' such that either type of credentials will work with these readers:

13.56 MHz Smartcard Interoperability

While the 'Part A & B' division in ISO 14443 separates formats from being the same, it does not always mean they are unusable with each other. Portions of ISO 14443 are the same in both parts, including the 'Card Serial Number'. For some access systems, this is the unique number that identifies unique users, and because this number is not encoded, it will register in 'non-standard' readers:

·    CSN/UID String: Essentially the card's unique identifier is readable because it is not stored in the deep 'encrypted' media. Many simple EAC platforms use only this number to define a user, and instead use the internal database to assign rights, schedules, and privileges.

·    Encoded Read/Write: However, the vast majority of storage within the card is encrypted and unreadable unless compliant readers are used. Especially for access systems using the credential itself for storage (e.g.: Salto, Hotel Systems) and for multi-factor authentication (e.g.: biometrics) high security deployments, the simple CSN is not sufficient.

The CSN Loophole

In terms of security, not all credential details are encrypted. The 'Card Serial Number' (defined by ISO standards) for 13.56 MHz cards can often be read regardless of underlying format, modulation method, or encryption. The CSN may be usable as a unique ID by the system, but the full data set of the credential will not be available.

For smaller systems with only a few doors and a hundred or fewer cardholders, using the CSN as the primary ID is common due to the ease of enrollment in using CSNs as unique badge numbers. However, for high-security sites where access identity encryption is required by standard or when credentials are used for multiple integrated systems, using CSNs to identify issued cardholders is often not approved. Rather, the card's encrypted data is required instead.

Form Factor

Credential shapes are not just limited to cards or fobs. The size and method of hosting a credential can include stickers, tokens, cell-phone cases, or even jewellery.

The form factor of the credential often is an important consideration in overall durability and service life. For example, while a white PVC card may be ideal to print an ID badge on and hang from a lanyard, it can easily be bent or broken in a rough environment. A key fob, while unsuitable for printing a picture on, is designed to be durable enough to withstand abuse, harsh environment exposures, and even submersion in water.

The right form factor choice should be dictated by the user and the user's environment, and generally, all major credential types have numerous form factor options to suit.

Touchless Switches

Touchless wall switch makes opening a door simple and germ free. Blue LED back-lighting highlights the switch at all times, other than during activation. This provides a visual reference of the switch’s location in low light conditions. Its low-profile design makes it blend into your wall.



Thursday, October 1, 2020

WORSHIP SURVEILLANCE DETECTION

WORSHIP SURVEILLANCE DETECTION

India has one place of worship for every 400 people, more than the countrywide spread of educational and medical institutions put together. And it does not seem that the pattern is going to change soon.
We often come and go from our Houses of Worship (HOW) with very little thought about who may be watching our activities. If we have implemented basic security precautions, we are probably comfortable in our setting. Security and worship can be successfully blended for those who worship in your facility. No house of worship (HOW), whether a church, mosque, temple, or synagogue is exempt from crime, whether committed by an internal member, a stranger, or as a random act of terrorism. On 5th September 2018 District Magistrate Srinagar, Dr Syed Abid Rasheed Shah, has ordered for installation of CCTV cameras in and around all prominent shrines, mosques and temples in the district.


Terrorists often gather significant pieces of information from open sources such as Google Maps and social media post­ings. They collect a lot of data about their target of interest and eventually they will conduct physical surveillance. After collecting initial data about the HOW, the terrorists will begin to survey the location, trying to determine the best time and mode of attack. Terrorists may look for a soft target that will bring instant publicity and maximize impact. A soft target can be a facility that doesn’t lock its doors or provide any type of security. Finding no resistance to their surveillance, they quickly realize there will be little or no threats to their safety, allowing them easy access in and out of the building. Depending on their plan of attack, they may send more skilled members to collect additional information by conducting surveillance inside and outside of the facility.
Risk Assessment
How do you know if someone is watching your facility? First, as a member it is always important that you are aware of who is in the parking lot. Be aware of any cars with people sitting in them that are in close proximity to your facility.
Now we need to find out risk factor in terrorists’ eyes.
Red Zones:
Terrorists seek locations to position themselves in what are referred to as red zones. These zones will normally meet the following three requirements:
1)  View of the target. Terrorists want to observe vulner­abilities so they need a good view. They will note the times of services. They will note how many people are there at any given time, seeking the opportunity to kill the maximum number possible with as little effort as possible. They will observe who comes and goes from the facility and will note the established patterns of behavior.
2)  Cover and concealment. Terrorists need to be able to apply cover and concealment tactics. While they are viewing the intended target, they do not wish to be observed by you.
3)  Safety and Exit. Terrorists do not want to be appre­hended and thus seek a safe exit which provides a quick exit, should their presence be observed.

Green Zones
As you are entering and exiting from your HOW, it is important that you are observant of suspicious activities.
Following are a few suspicious activities you might observe around your facility:
• Someone taking notes or photos who stops abruptly when approached
• Someone pointing at the target or casually looking around
• Circling the block repeatedly in a taxi or vehicle.
• Car, van, or truck parked nearby with occupants taking notes or photos.
• Circling the block repeatedly in a taxi or vehicle.
• Drawings or maps observed in a vacant car, van, or truck.
• Interest in security systems/someone enters and asks about the security system
• Someone glancing away or appearing to be nervous when approached.
• Someone enters the facility claiming to be looking for someone, and they appear overly interested in the physical layout of the building


The above listed activities may or may not indicate that your location is under surveillance. However, if observed, they should be noted and reported immediately. Another consideration as terrorist activities increase is that if law enforcement personnel are able to observe those conducting surveillance, it could result in lives being saved by collecting and sharing intelligence information. Otherwise, terrorists may move onto the next facility, which could result in many casualties. Regardless, the decision to question those conducting hostile surveillance or conduct additional surveil­lance must be made by law enforcement or a trained security team member.
Securing Worship
This part I divided into three (3) sections:
• Interior security
• Exterior security
• Procedural and/or best practices

• Interior security by
1.   Access Control:
Controlling and limiting access is one of the most important steps that can be taken to improve security. Some Worship staff and worshippers will not be comfortable with restricting access.

• Establish policies to maintain access control
• Limit access to childcare, business offices, cash counting area, and media rooms.
• Always install the latest patches and updates when prompted. This mitigates many hacking programs that rely on outdated vulnerabilities in your software. Set your computer to auto install updates.
• Doors and windows should be secured when the building is vacant.
• Limit points of access. When opening your facility, consider the event, the number of people, and the location of the event. Limit access by only opening doors that are close to the area being used. Do not open every door.
•  Establish checkpoints based on need--and staff accordingly. A checkpoint is an entry where all people and things are screened based upon the security plan for the current threat environment.
•  Keys for critical areas and master keys must be especially controlled.

2.   Burglar Alarm:
• Establish policies to maintain burglar alarm system.
• Ensure an alarm system covers access points and key areas where expensive items are housed.
• Use a reliable monitoring vendor and ensure contact information remains current.
• Develop a policy that addresses response to alarms.
• Install panic alarms at public reception areas where employees can initiate emergency procedures when suspicious persons approach and request access.

3.   Fire Alarm:
•  Ensure adequate addressable fire alarm coverage. The local fire department can help with determining what is needed for your facility.
• Develop a policy that addresses response to alarms.

4.   CCTV System:
Camera coverage should be considered for critical areas (such as areas with children, the business office, the clergy’s office, etc.) and access points. They can also be focused around items that are most likely to be stolen. For places of worship with little capital to spend, a camera with audio that can be monitored from a cell phone may be purchased for about $250 - $2500.

•  A Camera system can also serve as an alarm system by using video analytics and integrating with access control systems.
• Cameras should capture every door and point of entry. Additionally, cameras should be in the infant care rooms, daycare rooms, and areas where children play/eat/etc.
• If cameras are installed in daycare centers, inform parents and caretakers that you would be storing digital data of their children.
• Always install the latest patches and updates when prompted. This mitigates many hacking programs that rely on outdated vulnerabilities in your software. Set your computer to auto install updates.

Considering that places of worship are often targets of attacks, crime, and other losses, it is our belief that by auditing CCTV video footage as a standard operating procedure, and delivering a new powerful signage that states ‘WE CHECK CCTV EVERYDAY', far more benefits will accrue to them.

5.   Doors:
• Ideally doors should be wood or steel with a solid frame.
• Hinge pins should be located on the interior of door, or capped, if on the outside to prevent easy removal.

6.   Windows:
• Ensure that windows are secured prior to closing and latches are in working order.
• If windows are opened for air circulation, only open windows that are monitored and/or located where
people cannot climb through.

Exterior Security
Exterior security controls encourage us to think about how best to secure the perimeter of the church, parking lots, playground areas, and mass drop-off areas. Research says most violent crimes at faith-based organizations, more than 70% of the acts occurred outside the building on ministry grounds or parking lots.
• Consider enhancing perimeter security by adding a decorative fence—whether aluminium, board, stone, brick and/or multiple combinations thereof.
• Secure points of entry when no events are taking place. If your facility has back entrances and parking lots, these should be locked off.
• Remove potential fire hazards, such as trash and debris. Keep dumpsters in a locked dumpster pad.
• Consider vehicle barriers and/or bollards for vulnerable entries, special events, or in case of a terrorist threat when stand-off distance is required for vehicles. Barriers can be as simple as strategic parking of staff vehicles or as complex as a built-in place.
• Identify exterior hiding places, equipment vulnerabilities, utilities entries/shutoffs, fire department connections and hydrants. Check them for signs of activity before any event.
• Lights should be placed on all doors and windows. Motion detector lights should be considered for doors and windows. Ensure all lights are in working order.
• Lights should be on from dust to dawn. Consider lights with solar panels as this may reduce the cost of the energy.
• Larger facilities may need an officer to direct traffic. This will ensure timely entry and parking. The officer(s) can patrol the parking lots during the services. This task can also be completed by members of your “security team.” Outfit them in high-visibility vests and radios.
• Camera coverage is recommended for the exterior of the facility. Every area from the entrances to the parking lots should be covered. Some cameras only record when motion is detected, others record 24-7. Cameras can be monitored from the inside by your security team members and remotely on hand held devices as needed or based upon analytics,
• "Cameras never lie". But, how will a user ever know, unless he 'sees' what the camera 'saw'. Do audit own CCTV video footage as a standard operating procedure, for them to achieve optimal benefits from CCTV video, which includes (a) crime, fraud and loss prevention (b) faster solving of crime (c) risk mitigation (d) compliance issues and continuous improvement and so on.
• Appoint a “security leader” to oversee the development and implementation of the security plan. Schedule regular meetings to review procedures and incidents.
• Develop a “Welcoming Committee” of individuals and/or ushers who are trained in security detection and emergency responses.
• Conduct evacuation drills with staff and volunteers. Attend firearms training if your committee recommends that individuals are armed during services and special events.

"Considering that places of Worship are often targets of attacks, crime, and other losses, 'COM-SUR', the world's only CCTV video footage auditing, smart backup, and standardized intelligent reporting software is available for free to all places of Worship world-over, as part of our corporate social responsibility.

Places of Worship will need to take care of the hardware, installation, training, and so on; which can easily be carried out by their system integrators, who will need to be approved and trained by us. Besides a registration and training fee, a small consulting and administration fee will be charged by COM-SUR from the system integrator".

Resources:
Crime Prevention for Houses of Worship, 2nd edition, by Paula L. Ratliff. Published by AISIS International, 2015.
https://www.ifsec.events/india/visit/news-and-updates/com-sur-will-be-integrated-ai-ml-technologies-offer-holistic-solutions
https://timesofindia.indiatimes.com/city/agra/kasganj-cctv-cameras-to-be-set-up-at-worship-places-in-sensitive-areas/articleshow/62823320.cms
https://www.newindianexpress.com/cities/bengaluru/2019/apr/26/police-top-brass-meets-heads-of-places-of-worship-malls-1969148.html
https://defendry.com/4-ways-to-improve-security-at-your-place-of-worship/