Physical security has come a long way since the advent of the lock and key. But for all of its changes, the greatest aspect of the evolution of physical security is how it has begun to mesh with our digital world.
"What we're seeing is the merging of electronic and physical spaces," says Chris Nickerson, founder and chief consultant at Lares Consulting. "We've gone away from straight physical security to working with the social and electronic sides to make sure that a person is who they say they are."
But with evolution comes a fresh set of risks and vulnerabilities, only some of which we've learned to ameliorate. In order to make physical security work for us, we need to fully understand the new technologies that we're incorporating into it. "We've made big advancements, but we've been adopting them without learning them, so we've exposed ourselves in a way that we haven't before in physical security," says Nickerson. "Risk is understanding what you're doing, not how. If you know what you're using and you use it well, then there's no risk."
What follows, then, are eight of the most significant developments that have occurred over time in the field of physical security, and how some of them still stand to be advanced.
1. RFID Badges
Most buildings these days incorporate RFID badges in some capacity. The badges, which contain two crucial pieces of information the site code and the individual badge ID allow employees to swipe their card in close proximity to a scanner in order to gain access to certain areas. "They're good for logging who's going in and what time," says Nickerson. "RFID has its vulnerabilities, but it's still better than actual keys, where you can get a hold of a master key."
Indeed, RFID badges are rife with security flaws. They are easily cloned, for example, and brute force attacks can be used to take advantage of the fact that badge ID numbers are typically incremental (though the other aspect of the badge, the site code, is more of a secret). "Most web app are smart enough to lock you out [after multiple failed attempt]," says Nickerson. "But RFID? You can brute force it all day long. Most systems don't even alert you if someone's tried a million times."
Also, some companies take their RFID systems and move it to external cloud providers. All an attacker has to do is hack the provider's website and suddenly they have access to all of the buildings that use that cloud service. "These are standard electronic access systems that, by having some sort of centralized servers, can talk to all the readers," says Nickerson. "Within a couple of hours, you can find all sorts of ways to open the doors."
Sign up for Computerworld eNewsletters.