A closer look at electronic security

One major aspect of electronic security is concerned with cyber safety –wherein there are so many facets to this aspect that probably a book could be written in listing the implications alone… cyber laws which never existed till the end of 20th century, today seem to be revised daily and increase in number.

Electronic securityis defined as :
‘Protection resulting from all measures designed to deny to unauthorized persons information of value which might be derived from the possession and study of electromagnetic radiations.’ This rapidly burgeoning field comprises several aspects of security e.g.

• electronic surveillance,
• electronic monitoring,
• electronic prognosis and
• electronic activation of concealed devices.

One major aspect of electronic security is concerned with cyber safety –wherein there are so many facets to this aspect that probably a book could be written in listing the implications alone… cyber laws which never existed till the end of 20th century, today seem to be revised daily and increase in number. Cyber security, or protection of personal computers, networks, entire organisations, even governments, is an elaborate field by itself. Hackers have added to the woes spectacularly, to an extent that ‘ethical hacking’ is taught at colleges and institutes, so as to keep a system safe and secure. This is an entire chapter of electronic security we are not going to discuss in this article. In the physical world, with increasing miniaturization, the sensors used today are available in hundreds of types, the controls can be microprocessor-based, PLC-based or PC-based, or connected to the internet for remote observation and rectification. All this depends upon the scale of operations desired, the investment being protected and the more complex needs with increasing sophistication. This article examines the fundamental concepts in electronic security, discusses the wide gamut of sensors and sensing devices available, right from simple capacitive inductive switches (metal detectors) or smoke detectors to movement detectors up to the far more sophisticated battery of CCD cameras and webcams installed in larger premises and connected to a central processing unit. There are a hundred allied topics out of which Biometrics, we shall discuss because it seems to have penetrated far and wide, to the extent even five star hotels are using electronic locks operated through the use of biometrics, as duplication is impossible, as of now.

Deadlymetal spikes atop a wall
(glass shards used in India are easy to destroy)

Fundamentals:
Security in today’s highly enhanced perception of insecurity, has a fuzzy range of meanings –right from the fear of theft and sabotage, up to the far more complex needs like keeping a tab on the very thought patterns of a suspect i.e. sophisticated surveillance in the West, can identify a potential threat long before it goes out of hand e.g. a terrorist behaving suspiciously, and overpowered long before s/he can actually plant or trigger a device The increasing fear for security in large plants e.g. oil refineries or petrochemical complexes are no less elaborate. The fearsome quote ‘ Big Brother Is Watching’ from the prophetic pen of George Orwell, is something like an everyday fact for those who work in such plants. Not only the human operators and staff are monitored, their emails, their cell phone conversations, sms messages, even body language are also monitored, whether they like it or not. We can no longer afford the slightest lapse on our part, to jeopardize not only thousands of lives, but millions of lives in the townships adjacent to these complexes. One lapse can mean disastrous calamities, usually manmade, and eminently preventable.

A magnetic key for a door-latch

Concepts : Physical security
is a fundamental concept around which electronic security revolves. Physical security describes measures that are designed to deny access to unauthorized personnel (including attackers or even accidental intruders) from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts. The other aspect, discussed later on is the Logical Security. Physical security can be as simple as a locked door or as elaborate as multiple layers of barriers, armed security guards and guardhouse placement.Good physical security uses the concept of defence in depth, in appropriate combinations to deter and delay intrusions (passive defence), and detect and respond to intrusions (active defence). Ultimately it should be too difficult, risky or costly to an attacker to even attempt an intrusion. However, strong security measures also come at a cost, and there can be no perfect security. It is up to a security designer to balance security features and a tolerable amount of personnel access against available resources, risks to assets to be protected and even aesthetics. There are also life-cycle sustaining costs to consider.
Physical security is not a modern phenomenon. Physical security exists in order to deter or prevent persons from entering a physical facility. Historical examples of physical security include city walls, moats, etc. The technology used for physical security has changed over time. While in past eras, there was no passive infrared (PIR) based technology, electronic access control systems, or video surveillance system (VSS) cameras, the essential methodology of physical security has not altered over time.[citation needed] Fundamentally, good physical security is a combination of defensive principles designed to:

• deter
• delay
• detect, and
• respond (and ultimately, deny access)

... to intrusions into critical physical spaces. The first two actions of deter and delay are considered passive defence, while the remaining are active in nature.
The field of security engineering has identified the following elements to physical security:
obstacles, to frustrate trivial attackers and delay serious ones; to include:

1. explosion protection;
2. detection systems, such as

• surveillance systems,
• alarms,
• security lighting,
• security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed; and
• security response, to repel, catch or frustrate attackers when an attack is detected.

In a well designed system, these features must complement each other.
There are at least four layers of physical security:

1. Environmental design
2. Mechanical, electronic and procedural access control
3. Intrusion detection (with appropriate response procedures)
4. Personnel Identification (authentication)

There may be many choices to consider and there is no “best” solution that will satisfy a broad class of situations. Each situation is unique.

A visual sign as simple as this can be a deterrent….

Deterrence
The goal of physical security is to convince potential attackers that the likely costs of attack exceeds the value of making the attack, e.g. that consequences of a failed attack may well exceed the gain. The combination of layered security features establishes the presence of territoriality. The initial layer of security for a campus, building, office, or other physical space uses crime prevention through environmental design to deter threats. Some of the most common examples are also the most basic - warning signs, fences, vehicle barriers, vehicle height-restrictors, restricted access points, site lighting and trenches. However, even passive things like hedgerows may be sufficient in some circumstances.
An electronic access control.
The next layer is mechanical and includes gates, doors, and locks. Key control of the locks becomes a problem with large user populations and any user turnover. Keys quickly become unmanageable, often forcing the adoption of electronic access control. Electronic access control easily manages large user populations, controlling for user lifecycles times, dates, and individual access points. For example a user’s access rights could allow access from 0700hours to 1900hours Monday through Friday and expires in 90 days. Another form of access control (procedural) includes the use of policies, processes and procedures to manage the ingress into the restricted area. An example of this is the deployment of security personnel conducting checks for authorized entry at predetermined points of entry. This form of access control is usually supplemented by the earlier forms of access control (i.e. mechanical and electronic access control), or simple devices such as physical passes. An additional sub-layer of mechanical/electronic access control protection is reached by integrating a key management system to manage the possession and usage of mechanical keys to locks or property within a building or campus.

This “electronic nose” chip contains an array
of 16 different sensor devices that identify
gases through pattern recognition. This
technology could be used to deter terrorism,
to monitor pollution, and to measure air
quality and safety

Detection
The third layer is intrusion detection systems or alarms. Intrusion detection monitors for unauthorized access. It is less a preventative measure and more of a response trigger, although some[who?] would argue that it is a deterrent. Intrusion detection has a high incidence of false alarms. In many jurisdictions, law enforcement will not respond to alarms from intrusion detection systems. For example, a motion sensor near a door could trigger on either a person or a squirrel. The sensor itself does not do identification and as far as it is designed, anything moving near that door is unauthorized.
Identification :
The last layer is video monitoring systems. Security cameras can be a deterrentin many cases, but their real power comes from incident verification and historical analysis.[ For example, if alarms are being generated and there is a camera in place, the camera could be viewed to verify the alarms. In instances when an attack has already occurred and a camera is in place at the point of attack, the recorded video can be reviewed. Although the term closed-circuit television (CCTV) is common, it is quickly becoming outdated as more video systems lose the closed circuit for signal transmission and are instead transmitting on computer networks. Advances in information technology are transforming video monitoring into video analysis. For instance, once an image is digitized it can become data that sophisticated algorithms can act upon. As the speed and accuracy of automated analysis increases, the video system could move from a monitoring system to an intrusion detection system or access control system. It is not a stretch to imagine a video camera inputting data to a processor that outputs to a door lock. Instead of using some kind of key, whether mechanical or electrical, a person’s visage is the key. A human operator must be monitoring the situation real-time in order to respond in a timely manner. Otherwise, video monitoring is simply a means to gather evidence to be analyzed at a later time - perhaps too late in some cases.

Carbon nano-tubes, very often used in today’s
most advanced nano-sensors

Logical Security
The elements are:
User IDs, also known as logins, user names, logons or accounts, are unique personal identifiers for agents of a computer program or network that is accessible by more than one agent. These identifiers are based on short strings of alphanumeric characters, and are either assigned or chosen by the users.
Token Authentication
Token Authentication comprises security tokens which are small devices that authorized users of computer systems or networks carry to assist in identifying that who is logging in to a computer or network system is actually authorized.
Password Authentication
Password Authentication uses secret data to control access to a particular resource. Usually, the user attempting to access the network, computer or computer program is queried on whether they know the password or not, and is granted or denied access accordingly. Passwords are either created by the user or assigned, similar to usernames. However, once assigned a password, the user usually is given the option to change the password to something of his/her choice.

Hi-tech nano-sensors, freely used today with
amazing sensitivity and wider range of effectiveness

Two-Way Authentication
Two-Way Authentication involves both the user and system or network convincing each other that they know the shared password without transmitting this password over any communication channel. This is done by using the password as the encryption key to transmit a randomly generated piece of information, or “the challenge.” The other side must then return a similarly encrypted value which is some predetermined function of the originally offered information, his/her “response,” which proves that he/she was able to decrypt the challenge.

An embassy building, with clever use of planted
trees being used as vehicle barriers, both eco-friendly
and sufficiently effective

Biometrics:
Biometrics (or biometric authentication)comprises a wide variety of methods for recognizing in a unique manner, identity of humans based upon one or more intrinsic physical or behavioural characteristics or traits. In computer science, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance. For instance many laptops e.g. Lenovo, come bundled with a face recognition software, activated by a built-in webcam, which can recognise the legal owner and deactivate the lock. It refuses to start if there is an anomaly whatsoever. Though we feel that the science of biometrics is a new-fangled idea, history tells us otherwise.
Biometric identifiers are the distinctive, measurable characteristics used to identify individuals. The two categories of biometric identifiers include physiological and behaviouralcharacteristics.
The physiological characteristics are related to the shape of the body, and include:

• fingerprints,
• face recognition,
• DNA,
• palm print,
• hand geometry,
• iris recognition (which has largely replaced retina), and
• odour/scent.

The behavioural characteristics are related to the behaviour of a person, including but not limited to: typing rhythm, gait, and voice. Some researchers have coined the term behavioumetrics to describe the latter class of biometrics.
Earlier on, security experts had access only to the more traditional means of access control including :

• token-based identification systems, such as a driver’s license or passport, and
• knowledge-based identification systems, such as a password or a personal identification number.

Since biometric identifiers are unique to individuals, they are more reliable in verifying identity than token and knowledge-based methods; however, the collection of biometric identifiers raises privacy concerns about the ultimate use of this information.

A picture of an airport well-managed from security point
of view, shorter queues signify an efficient management

Biometric Functionality :
A wide variety factor related to human physiology, chemistry or behaviour can be used for biometric authentication. The selection of a particular biometric for use in a specific application involves a weighting of several factors. Jain et al. (1999), identified seven such factors to be used when assessing the suitability of any trait for use in biometric authentication.

• Universality means that every person using a system should possess the trait.
• Uniqueness impliesthe trait should be sufficiently different for individuals in the relevant population such that they can be distinguished from one another.
• Permanence relates to the manner in which a trait varies over time. More specifically, a trait with ‘good’ permanence will be reasonably invariant over time with respect to the specific matching algorithm.
• Measurability (collectability) describes the ease of acquisition or measurement of the trait. In addition, acquired data should be in a form that permits subsequent processing and extraction of the relevant feature sets.
• Performance relates to the accuracy, speed, and robustness of technology used (see performance section for more details).
• Acceptability relates to how well individuals in the relevant population accept the technology such that they are willing to have their biometric trait captured and assessed.
• Circumvention relates to the ease with which a trait might be imitated using an artefact or substitute.

It is vital to remember here that no single biometric factor will meet all the requirements of every possible application.]

At many public entertainment places, biometric
measurements are taken from the fingers of
guests to ensure that the person’s ticket is used
by the same person from day to day

A biometric system can operate in the following two disparate modes :- A. verification mode - here the system performs a one-to-one comparison of a captured biometric with a specific template stored in a biometric database in order to verify the individual is the person they claim to be. This process may use a smart card, username or ID number (e.g. PIN) to indicate which template should be used for comparison. ‘Positive recognition’ is a common use of verification mode, “where the aim is to prevent multiple people from using same identity”.
B. Identification mode - herethe system performs a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown individual. The system will succeed in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold. Identification mode can be used either for ‘positive recognition’ (so that the user does not have to provide any information about the template to be used) or for ‘negative recognition’ of the person “where the system establishes whether the person is who she (implicitly or explicitly) denies to be”.

A representative block diagram of a biometric system

The latter function can only be achieved through biometrics since other methods of personal recognition such as passwords, PINs or keys are ineffective. The latter function is very useful to Interpol, in maintaining a strict check on blacklisted criminals who are most likely to migrate to new pastures, both for survival and for expansion of their nefarious activities. The first time an individual uses a biometric system is called enrolment. During the enrolment, biometric information from an individual is captured and stored. In subsequent uses, biometric information is detected and compared with the information stored at the time of enrolment.
Summing Up:
This is an elaborate science, and one that involves mastery of several distinct disciplines to continually expand, improve upon and keep fool-proof various security measures. Space constraints prohibit more elaboration or inclusion of many relevant issues.

article from Industrial Security Review