CISSP D3 Preview | Physical Security – Part 3

In this lecture, we’re going to continue with physical security and we’re going to start out with looking at locks.
I know, right?
How exciting, locks!
And now that I got that out of my system, let’s actually look at locks.
Locks are only a preventative measure.
They don’t deter.
They don’t detect.
They don’t do anything else.
If the door is locked, you can’t get in.
You are prevented access.
And to gain access, you’re required to have the physical key that can unlock the door.
But keys can be shared, keys can be copied, locks can be picked and locks can be bumped.
But first off, let’s look at how a lock actually works.
So keys like the ones over here on the right have a Bitting code.
And it is called that because that is how far the metal is bitten down on that specific section of the key.
And as you can tell how far the metal is bitten down, it’s a little bit of a weird term, but since it is the right term for it, we’re going to use it.
So the image over here on the right, the first one is of a lock that is locked.
You can then see the second picture.
Someone inserted the wrong key.
And to unlock the door, we need the tumblers to align up in the way that they do on the third picture.
On the second picture, you can see the division between the red and the purple part of the pin is not aligned, on the third picture they are.
When they align, we can turn the cylinder and unlock the lock.
Didn’t I tell you this was going to be exciting?
And this type of lock, Yale locks are in general not very secure, but they’re very cheap to implement.
So people can steal the key, they can make copies of it, but they can also pick the lock or even bump the lock.
Any lock with cylinders and keys like we use over here on the right, can be picked and they can be bumped.
Now, how long that takes really depends on two things.
The skills of the person doing it and the quality of the lock.
With a lock pick set, we’re basically trying to lift those little tumblers until they align in the right position that the key would have had them in.
And we can open the lock.
I actually bought a set of lock picks maybe two years ago just to see how easy it was.
And once you get some practice, it is actually not that difficult.
That said, lock bumping is often faster.
For lock bumping, the attacker has a key that matches the door and then all the bittings is shaved down all the way.
You can see a picture one over here at the bottom on the right, and it is called lock bumping because you insert the key into the lock and then you hit or bump the key with a hammer or screwdriver or something like that.
That then makes the pins jump up and you quickly turn the key, opening the door.
This also takes some skill and some practice.
But if you do it right, you can open a door in just a few seconds.
And then obviously you also understand this is illegal.
And if you ever try it, it should be only for academic purposes, something you learn so you can understand the attackers better.
Now, let’s look at Master Keys and Core Keys.
And Master Key is a given key that can open any doors in a certain area or a certain security zone.
Think of this as admin privileges for doors.
Since these keys can open so many more doors, we obviously need to keep these keys more secure.
We need to make sure both who has them at all times and where they are.
If I say, Hey, can I borrow your key really quickly, I just need to go do something, then the default answer should probably be no, because I can borrow your key, make a copy of it real quick like and then return it to you.
You are just as compromised as if I had stolen the key, whereas if the key had been stolen or vanished, well then maybe we changed the locks.
If I just borrow it and make a copy, we would have no clue.
Again, just like with the admin privileges, we don’t let someone else borrow our account to login just to check on something real quick.
Big. No, no.
Then we have core locks.
You can see an image of one over here on the right and there are called core locks or interchangeable core locks because they are easy to replace.
They’re pretty easy to recognize because they have that figure-eight shape and important here, they are made for convenience.
They are regular locks with the tumblers we’ve looked at already.
But with a master key, you can remove them and add a new lock in a few seconds.
If you are compromised, then, instead of changing the entire lock, you just change the core.
Much easier, right?
But as in most cases, much easier also comes with some security concerns.
So to remove that core, we have a specialized control key.
We insert that control key and we can extract the entire core.
Now, if an attacker gets hold of that, they can do exactly the same.
So here, just like with the master key, we need to keep that core key very, very secure.
We might even here want to implement dual controls.
So the only time someone can get the core key is when two authorized people sign it out.
Now, let’s finish out the exciting world of locks with combination locks.
Combination locks are not very frequently used, but they can be appropriate in some areas where we need low security.
And it is not feasible for every employee to have a key for their access.
Keyword here, right?
Low security and it is low security for a few reasons.
They have a finite set of combinations that can work and they’re not very difficult to break.
Combination locks can either be the dial type.
If you think like the round dial on a safe, they can be push button or they can be a keypad and they are very susceptible to brute force and shoulder surfing.
On top of that, we’re pretty bad about configuring them with weak security.
In many places there are just the street number.
That way the employee doesn’t have to remember the three or four digit code it has.
They go to the location and know the street number.
Now they open the lock, but that is so common knowledge that the attacker does the same.
So not very secure at all.
On top of that, the more we use a combination lock, over time, the keys wear down and it is easier to open.
You now know some of the keys that are being used.
For instance, if you have a phone number pin and we can tell from the keypad which four keys are used, they’re no longer 10000 combinations.
They’re now 256.
If only three keys are used, we’re now down to 81 options.
So combination locks should really only be used in areas that do not need a lot of security and places where we don’t keep anything important, but preferably they should be avoided.
And if we have to, well, then make sure that it’s not the street number that is the combination and we need to make sure that we replace them every so often.
And with that, we are done with the wonderful world of locks.
And I will see you in the next lecture for more physical security.