The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Access control systems are the physical form of the layers of data, credential and identity controls underpinning the systems relied on every day. Yet, they can be an afterthought; even the most high-profile breaches of physical security systems can take years to rectify. Security Week highlights the vulnerabilities affecting Nice Linear, a widely used proprietary system in the world of smart homes. Over 2,500 individual vulnerabilities flagged in 2019 alone.
What this showed is that, in an age of vigilance concerning digitally stored data and privacy concerns, the interface between physical and digital security can be neglected. It is crucial for access control system managers to identify this and take a proactive approach to security assurance. Starting at the most basic level – physical devices – provides a smart route forward.
Quality physical credentials
At the external interface of any access control system is the physical credential which allows the user to access the system. This seems simple in operation, but the struggle to maintain good quality physical access systems is one that continues to dominate security professional time. Take, for instance, skimming, which is a very obvious and day-to-day instance of physical devices being misused to access digital systems. According to the FBI, the scale of the skimming challenge is huge, with over $1 billion lost every year.
Consider the basics of the physical access of a system: a device, such as a wearable or RFID card. Banks update the quality of their cards regularly, and access control managers should consider this too. Deploying the right base product to devices and cards, and investing in the right product with effective security features from the outset, ensures that devices cannot be cloned and that there is absolute assurance in the access tool.
Moving into data
Access devices increasingly use a range of second-layer authentication methods to bring in extra layers of security assurance. These are effective, but security professionals from across the discipline know that more systems means more opportunities for exploits. A recent Hacker News article laid bare this risk; one security provider focusing on biometrics was exposed to 24 different vulnerabilities, which analysts described as “alarmingly diverse”.
Moving into complex datasets, such as those holding biometrics, requires a greater level of assurance again to ensure that control systems are effective. According to Hacker News, the key is in siloing data. Each new security system should not be merely embedded in the old, but provided with its own network segment and its own set of credentials. Rather than the likes of biometrics being used to simply access systems, as RFID or numerical PINs do, it should be an additional system, isolated, communicating with the other layers of security.
Tackling the AI challenge
Artificial intelligence (AI) could be a transformative technology in the field of access control systems. There is a potential to deploy these cutting-edge technologies to provide a level of physical security assurance, whether it be in greater facial recognition, biometric identification, or simply through robust defence of older-style credentials. According to Access Professionals, artificial intelligence could, theoretically, entirely automate access control systems, providing automated and fine control over who has access where, and what credentials they require.
However, just as AI brings many benefits, so too does it bring risks. In a review of the types of AI attacks starting to be identified by analysts, AquaSec noted two key types of note to access control system managers; poisoning, and abuse. In each of these types, malicious actors will provide intentionally misleading data to a system in order to corrupt the algorithms underpinning the AI system, leading to erroneous results. Attacks of this manner are necessarily a slowburn, but, due to the automation of the system, can take time for systems analysts to identify. Whilst not yet a pressing problem in access control systems, this is a threat that is posed to all machine-learning led tools.
As with all security matters, the key principle is vigilance. Attempts to breach physical controls can be as simple as a physical attack, but, increasingly, sophisticated tools are undermining the digital technology behind them. Being cognizant to the risk, and investing in carefully deployed measures, is crucial.