Access Control Industry Best Practices
With a wide variety of reader technologies to choose from, it's important to ensure that the technology selected properly balances risk, cost, and convenience factors. Prox technology is a viable choice, especially for sites where there are existing Prox cards in use, but contactless smart cards represent the next generation Prox technology and offer all of the convenience of Prox along with increased security and additional benefits such as multiple applications, read/write and increased memory. However, when selecting a vendor's system, be aware that some manufacturers, in an attempt to sell “universal” readers capable of reading almost any contactless smart card, bypasses the security measures of contactless smart cards in order to achieve their goal. These readers, known as “CSN readers,” only read the card's serial number, which, as per ISO standards, are required to be able to be read by any reader for the express purposes of being able to read multiple cards presented to a reader at the same time. Furthermore, because the ISO specifications are publicly available, details of how this process works can be employed by unknown persons to gain unauthorized access.
Access control readers typically read a card and send the card data to another “upstream” device such as a panel, which decides whether to allow access. When this communication takes place using wires, the most popular method is the Wiegand Protocol because it's almost universally supported by all vendors. Although more modern protocols such as RS485 and TCP/IP offers more security, there is less interoperability between different manufacturers of readers and panels.
Protect the Wiring
Installing the security system's wiring in conduits makes it more difficult to compromise due to the difficulty of identifying the correct conduit. Additionally, bundling several wire runs together so that identifying the correct set of wires is more difficult is also desirable. Avoid the use of readers with built-in connectors that are easy to swap out with an unauthorized reader and connect wires in a permanent fashion by soldering.
Use Security Screws
Utilise security screws that require special tools to remove a reader. This makes the removal process longer and more difficult and increases the possibility that a malicious attack will be noticed.
Prevention of Tailgating
Program the access control host software to refuse access to a cardholder that is already inside the facility. This requires an “in” and an “out” reader at the door and prevents “tailgating,” - when an individual follows closely behind a user who has legitimately been given access.
Detection - The Second Line of Defense
Buy readers with a tamper detect mechanism that provides a signal when the reader has been removed. If the reader is controlling a sensitive location, monitor it by CCTV. Many readers also have the capability of sending “health” messages on a periodic basis to the upstream device which can also detect reader malfunctions. It's better to know when a reader is not working before somebody complains they can't get in.
For converged physical and logical access control systems, “geographic” monitoring is available. If a person has just entered a door in London, but is trying to log into a computer in Manchester, there's obviously a problem. A converged system can also prevent a person logging onto their computer if they hasn't used their card at a perimeter reader.
The use of card readers with built-in keypads means lost cards cannot be picked up and used to enter a facility. It also reduces the threat of card cloning. The use of biometric readers ensures that the person presenting the card is the same person it was issued to and should be used at doors that require higher levels of security.
Mind the Cards
To prevent use of illegitimate cards that may have been fraudulently obtained, old cards should be voided immediately and only issued cards should be valid; don't have pre-validated “spare” cards ready to hand out. Some access control systems can also generate a different message than “just denied” for cards that haven't been entered in the system. Any messages reported by the host access control system with wrong formats, wrong site codes, or out of range should be immediately investigated.
It's also advisable to use a card with a proprietary format or one that's exclusive to a particular site. Cards with these formats are more difficult to illegally obtain, as compared to the industry standard open 26-bit Wiegand format.
The utilization of as many of these best practices as feasible, with attention to appropriate levels of security, will result in a system that better fulfills its intended function with less possibility of being compromised.