Learning to Leverage Biometrics in Access Control Environments

/in , /by

The biometrics ecosystem is evolving at a rapid pace and providing incredible benefits to enterprises that adopt the technology, especially when these now-commonplace features are applied for cybersecurity.

Although people are already familiar with using a thumbprint or facial recognition to unlock their mobile device or complete an online purchase with it, the real power of biometrics extends far beyond these simple features and experiences.

As massive data breaches spilling millions of user passwords and shared secrets become a familiar part of our everyday lives, so does the reality of malicious hackers leveraging these credentials to cause widespread damage. Due to the sheer number of compromised user credentials available from these spills identity theft is at an all-time high, potential GDPR fines loom over many organizations, and there is an atmosphere of distrust.

This is where biometrics can provide an answer because these features we rely on for convenience can also have a groundbreaking impact on security and privacy. Providing that we follow a hard and fast rule — that biometrics are combined with public-key cryptography.

In order to properly leverage biometrics, however, IT and security teams should first understand the key elements that make it such a powerful tool to combat today’s ever-evolving threat landscape and, how to begin implementing it without requiring a complete overhaul of security infrastructure.

The Biometrics Ecosystem

One of the most powerful aspects of the biometrics ecosystem as it relates to cybersecurity is that it replaces the shared “something you know” factor of user authentication with the difficult to reproduce “something you are” factor. Whereas passwords and shared secrets can be stolen and duplicated, every person’s biometrics are completely unique.

In turn the devices that match biometrics to their enrolled templates have grown in sophistication and are already in our hands. The vast majority of sensors on modern mobile devices have a 1/50,000 minimum false acceptance rate (FAR) which makes it extremely difficult to mimic a biometric template.

Using these sensors paired with standards-based authentication such as Fast IDentity Online (FIDO) protocols that eliminates shared secrets creates significant friction for the bad actors who weaponize credentials for fraud through account takeover. It also disrupts a hacker’s attack vector (and thus their economic model) as they can no longer focus on huge server stockpiles of user credentials and must instead go to individual devices to attempt to obtain a single user’s credentials.

This shift makes it virtually impossible to have the mass credential breaches like the ones we are experiencing on an almost daily basis today.

Select a Use Case and a Secure Model

When launching a biometrics strategy, IT and security teams should look for areas where biometrics can have the greatest effect while creating the least amount of friction, and begin deploying the capabilities there. Oftentimes this is with internal facing applications that don’t directly impact customers. Or, they can take the route of securing consumer-facing apps since biometrics are so popular with their users and consumer devices with advanced capabilities are readily available.

Even the most forward-thinking organizations can balk at biometrics when they think it requires an unmanageable set of changes, such as the addition of special hardware, gutting of associated solutions or the taking on of unacceptable kinds of risk such as custodianship of biometrics.

However, the best way to implement biometrics into the security framework is through a deliberate and gradual process using a solution that is built upon mobile-centric FIDO standards. FIDO-based solutions are built to play nicely with security products already in place, and the strength of the standard ensures that users — not the enterprise — are the stewards of biometrics.

Make User Experience A Top Priority

Finally, despite all of the security benefits the biometrics ecosystem provides, if the user experience is clunky it will be difficult for users to adopt. The good news is that providing an easy-to-use, uniform experience for biometrics is rather simple due to the sophistication of today’s mobile devices. Every employee already has a company or personal smartphone and experience using biometrics to unlock the phone make a payment.

The biometrics ecosystem provides incredible opportunity to create a more secure online world while building upon the experience smartphones have proven to deliver their users. Enterprises that want to roll out biometrics-based services today are poised to fully capitalize on it.

Thanks to the sophistication and ubiquity of the devices, and to the availability of solutions built upon open standards-based decentralized architectures, migrating to a true password-less state is within reach. Once it’s deployed — even on a limited basis — my guess is that the enterprise will begin to see other areas for implementation across the enterprise.

 

Security Technology of South Texas is an authorized integrator for many surveillance and access control manufacturers and has designed systems with this kind of functionality. Biometrics is particularly useful in enterprise scale operations, various campuses, as well as car dealerships or any other large property where tight security is necessary.

Please contact us at  admin@gostst.com on our website
or via phone at  210-446-4863   24/7

Fully Integrated Security and Access  Control with Alarm.com

/in , /by


Alarm.com is an all-inclusive business security and access control service that we offer our clients for easy access and constant updates from their work sites and businesses. The technology is specifically engineered for small and medium size business owners, and combines intelligent intrusion detection, video surveillance, access control and energy management into one cost-effective solution which is accessible from any computer, phone or other smart device.

———————————————————————————————————————————–

Their all-encompassing “Smarter Business Security” solution allows the site manager to know if someone accessed a room after hours, determine false from real alarms, and provides real-time notifications. It also features remote control and auto arming, allowing you to know what is happening at your business or work site and that it is secure regardless of your location. The integrated smart thermostat eliminates waste from heating and cooling when nobody is present and helps save automatically if management forgets to turn off the AC or heating during closing hours.
———————————————————————————————————————————–
Not only will Alarm.com integrate with your on-site cameras, it is also a fully fledged access management solution as well. From a small team of just 5 to up to hundreds of employees, this technology allows management of multiple access plans centrally, with the ability to remotely lock or unlock doors and monitor activity at multiple sites if necessary. This solution integrates with industry leading hardware manufacturers, making it easy to step up access control measures without the need to replace locks and card readers already installed. This helps keep costs down as much of the price of new access control solutions is driven by the installation of new on-site hardware, costing many thousands.
———————————————————————————————————————————–
The Alarm.com solution for businesses is fully supported from their professional local Service Providers to ensure dependable and up-to-date service. This seamlessly integrated suite of business solutions will include intrusion, video, and energy management all through a single app, consolidating power into your hands and eliminating the need for a monitoring service.
———————————————————————————————————————————–
Furthermore, using data generated from the app, business owners can garner valuable insights into activity trends, allowing them to make smarter decision with respect to staffing, promotions, and energy use. The app generates simple and easy to understand reports which show activity patterns across entire work sites and business operations, helping to point out any unexpected changes.
———————————————————————————————————————————–
For example, visualized trends include open/close trends for each location and allow you to identify peak periods of activity and customer traffic. Previously unknown activity can be uncovered such as unexpected after hours entry by employees or intruders. Any doors left propped open can also be detected, eliminating energy waste and helping to mitigate security concerns. An historic timestamp of which users armed and disarmed the system is also kept for later review if necessary. Both single-site and multi-site reports can be generated on either a daily, weekly, or monthly schedule.
———————————————————————————————————————————–
Security Technology of South Texas is happy to offer custom access control and surveillance solutions to the business security market, designed either turn-key and from the ground up, or integrated into an already existing series of cameras and access control structures.

Please contact us through email at admin@gostst.com

or by phone at 210-446-4863 24/7 to schedule a consultation.

Protection and Integration of Legacy Access Control Systems

/in , /by

—————————————————————————————————————————————–

When you install the infrastructure to support an enterprise grade access control system, the expectation is that it will last and be operable for a long time. Over time, physical access control has merged increasingly with networking services, which leads these systems to be vulnerable to threats associated with always-on network connections that they did not have to contend with in the past. This leaves us entering the 2020’s with many legacy systems having multiple exposed attack surfaces and new potential risks as IoT integration moves forwards and clients expect full availability and connectivity on their smart devices.
—————————————————————————————————————————————-
One method which we have placed great emphasis on is Avigilon’s “Blue” Platform, a nearly “Plug-and-Play” device that allows takeover and integration of IP devices into older systems while still maintaining the integrity and operation of the existing infrastructure. The specifics of “Blue” have been discussed in depth in previous articles.
It is critical that integrators installing upgrades to existing access control systems ensure that all software and drivers are up to date so that exploits are covered. The more IP devices, the more potential points of attack exist to disable physical infrastructure for access control systems, and this is why it is so important that the client make sure to keep up with manufacturer patches and updates as soon as they are released, as attackers will be aware of exploits, in many cases, before patches come out as a solution.
—————————————————————————————————————————————–
Another solution STST offers is Frontsteps access control technology. A key aspect of Frontsteps solution is “Mobile Patrol”. The fully mobile application allows security admins instant access “to patrol status updates and critical information, like incident reports and messaging.” (Frontsteps.com) Guards can give live updates in just seconds and share information for different checkpoints along a given patrol route. GPS GeoTagging assists in this process. This vastly improves the productivity and accountability of security staff as they must check in to their patrol checkpoints.
Security Technology of South Texas is happy to offer custom access control and surveillance solutions to the business security market, designed either turn-key and from the ground up, or integrated into an already existing series of cameras and access control structures.
—————————————————————————————————————————————–
Please contact us through email at admin@gostst.com
or by phone at 210-446-4863 24/7 to schedule a consultation.

Security Moves Further into the Cloud

/in , /by

It is certainly no secret that cybersecurity is ever increasingly a focal point for security professionals. It is now no longer on the periphery and is of serious concern in the video surveillance market. Because of this blurring of the lines between hardware and the digital realm (cloud), a competent security integrator needs to have a team that understands the interplay between the two and can make the best design decisions possible.

Hackers have known for quite some time that video surveillance cameras are some of the easiest to breach pieces of internet connected tech out there. Indeed, there are entire websites devoted to indexing the IPs of unsecured cameras and access control systems around the world. People are going online, without any technical skill, and doing things like turning the lights on and off in stadiums and spying on people though the camera they have placed in their living room.

But many security integrators and dealers lag behind in this area. Although manufactures can be relied on to a point, having at least one member of the team with the know-how to encrypt drives and understand authentication applications is a must. For example, two-factor authentication, now coming standard on some servers, uses “two PIN codes added to [a] Windows Server login — one as a primary password, the other a randomized PIN generated by [a] paired smartphone app, giving integrators an added layer of security”. ( www.sdmmag.com )

Being able to link a system to a two-step authentication through a specific cell number is a pretty strong defense against hackers, who traditionally access these systems through manufacturer back doors, “zero-day” exploits, or simply by using “packet sniffing” programs to watch your traffic and pull the IP and MAC address on your devices.

Over the last decade, cloud computing and storage has rapidly changed the way businesses of all kinds operate. Modern enterprises that wish to stay competitive turn increasingly to a hybrid IT environment which allows them to leverage advantages of cloud based solutions alongside having whatever physical hardware that they maintain on-site. Cloud infrastructure is highly scalable, but on-site systems may be more directly controllable or may feature proprietary/in-house software. The promise of reducing operating costs and gaining a competitive advantage is attractive to any company, but in order to pull it off, specific security challenges must be overcome or accounted for.

Hybridizing an already complicated IT environment can have the effect of rapidly increasingly the complexity of systems. Depending upon which services are owned and managed by that business and which are provided via “Cloud Service Providers” or CSP, the enterprise must regulate and integrate multiple applications and systems, a process which may require multiple different skill sets. This all creates a lot of moving pieces which can make it difficult to maintain visibility for all the existing data.

Data breaches at the highest levels make headlines on the daily and have done so for the last several years. Major compromises include Sony with a possible hack coming from North Korea, Verizon, where as many as 14 million customers records were exposed due to server mismanagement, as well as Equifax and many others losing critical information such as customer’s bank information and social security numbers.

Securing all this data is a complicated task, but probably the most common mistake requires no special skills to address. Overlooking the basic integrated security controls is surprisingly common and a simple misconfiguration at this level can compromise an entire operation and leave its data completely exposed and liable to experience theft and/or unwanted modification or hacking. As we all know, something as small as this can expose customers, employees, and the critically important private data of companies to calamitous outcomes. Following are some key considerations in avoiding cloud misconfigurations and steps to keep safe a typical hybridized IT environment.

Studies (Redlock) have shown over half, in this case 53% of companies using cloud storage will admit to accidentally exposing customer data due to mismanagement or deliberately circumventing certain built in security features. Hackers know this, and as more and more organizations make the move to the cloud, attackers will increasingly pursue this “low hanging fruit” of security risks. Security misconfigurations are among the most common ways attackers gain control and leverage withing a network. Because those creating services such as Amazon S3 cloud storage seek to make their interfaces as flexible as possible, this sometimes has the inadvertent effect of exposing cloud environments and contained data (aka “buckets”). These buckets can be accessed simply through a URL so long as the user has the appropriate permissions.

Misconfigurations can occur at any level of your applications stack- “the platform, web server, database, framework” (Security Today Magazine) or in the custom code itself. Also common is for attackers to target and take advantage of any poorly configured devices that may be connected to the network. Use of default passwords and/or otherwise not configuring devices accessing the Wi-Fi can lead to an attacker exploiting a system which will allow them to immediately begin making changes and exfiltrating data.

The reality is that most of these problems come down to human error and ignorance. A common misconception is that the providers of these cloud solutions provide security themselves. This is simply not true. It is always up to you to check what security they do provide and to account for that when you implement your own security. Very rarely or never will the defaults of the cloud service be sufficient. And so regardless of however network environments evolve, the “foundational tenets” will remain. “Maintain visibility of your attack surface and continue to monitor it” at all levels. (Security Today Magazine) Apply security protocols to the cloud environment in the same manner you would do for your traditional environment. And of course, make sure to secure all the loose ends and back-doors, ensuring proper configuration throughout your network.

The prevailing opinion online seems to be that those dealers/integrators who do not keep up with this virtual counterpart to the physical systems they install will risk putting in systems that could be compromised and even lost to hackers. As the IoT expands and proliferates there will be many more individual possible weak points to conduct a security breach against in a network. STST makes use of a wide array of IoT-like devices already, as do many other companies and industries. Mobile connections can be used as backups for hard-wired connections in security solutions but are more critical when a system needs to include 24/7 personal video and control access to a user or users wherever they are. The security industry in general is likely to become increasingly centered around the usefulness and convenience of mobile communication tech, as many of us certainly seem to be already with our personal and social lives.

Security Technology of South Texas is happy to offer custom access control and surveillance solutions with video analytics to the greater South Texas area, designed either turn-key and from the ground up, or integrated into an already existing series of cameras.

Please contact us through email at admin@gostst.com on our website or via phone at

210-446-4863 24/7 to schedule a consultation.