Thursday, July 27, 2006

The Dangers of the Master Key

That's right, the use of a master key system makes it much simpler to pick any lock in the system. I know I'm going to have to sell you on this one, so here we go.

Let's use the average college dormitory as an example. The typical dorm room has three keys that will open it; the key of the individual rooming there, the Resident Assistant for that area, and the key of the Residential Director for the building. In order for this to work, it means at least some of the pins need multiple key depths that will work. Usually the number of pins for which this is true is kept to a minimum, for reasons that will soon become apparent.

Keys usually have 10 depths, numbered 0-9, to which they can be cut. If there are five pins (the standard for a door), that means there are 10 to the fifth power, or 1000000 possible key combinations, only one of which will work.

Now, in a dorm room key, two of these pins will be set to a single depth, as just described. The other three, however, are set to accept three different depths; one for each key that will accept it. That means that rather than 1 tooth combination that will open the door, there are 29. Now, this may not seem like too much of a big deal, after all, 29 out of 1000000 is still not very good odds. But there are other factors.

When I told you there where 10 possible depths, I was telling the truth, but no the whole truth. While there are 10 depths, only about 7 are usually used. which reduces the possible combinations to 7 to the fifth, or 16807. Quite the reduction. In addition to that, in a college dorm, 2 of these pins are set to the same depth for every key in the building. These two pins can be figured out just by comparing a few keys. This reduces possible key combinations to only 7 to the third, or 343. So now a potential thief has 29 out of 343. Granted, these still aren't good odds, but considering how easy it is to pick a non-mastered lock, such a reduction of odds can make a significant difference.

Tuesday, July 25, 2006

The Big Let Down

I worked on getting the feeds set up today rather than come up with a real post. Sorry. I promise I will get a good one up tomorrow. Something that will scare the bejeezus out of you. Unless you already know about it. Then you will just find it boring.

Also, I have been using Performancing for Firefox to post to this blog, and now it is not working. Error#3. Something with the ATOM server, tried removing myself from ATOM and that didn't work. If you know how to fix this, please let me know. I don't like having to post manually.

Monday, July 24, 2006

Defining Security

Like most abstract concepts, security can be very tricky to pin down. There are almost as many definitions as there are sources, and they vary from th every concise to the very precise. But in order to discuss security, we must first define it, so lets give it a shot.

According to dictionary.com, security is
  1. Freedom from risk or danger; safety.
  2. Freedom from doubt, anxiety, or fear; confidence.
  3. Something that gives or assures safety, as:
    1. A group or department of private guards: Call building security if a visitor acts suspicious.
    2. Measures adopted by a government to prevent espionage, sabotage, or attack.
    3. Measures adopted, as by a business or homeowner, to prevent a crime such as burglary or assault: Security was lax at the firm's smaller plant.
    4. Measures adopted to prevent escape: Security in the prison is very tight
  4. Something deposited or given as assurance of the fulfillment of an obligation; a pledge.
  5. One who undertakes to fulfill the obligation of another; a surety.
  6. A document indicating ownership or creditorship; a stock certificate or bond.

Whereas Merriam-Webster's online dictionary defines it as
1 : the quality or state of being secure : as a : freedom from danger : SAFETY b : freedom from fear or anxiety c : freedom from the prospect of being laid off <job security>
2 a : something given, deposited, or pledged to make certain the fulfillment of an obligation b : SURETY
3 : an instrument of investment in the form of a document (as a stock certificate or bond) providing evidence of its ownership
4 a : something that secures : PROTECTION b (1) : measures taken to guard against espionage or sabotage, crime, attack, or escape (2) : an organization or department whose task is security
The common themes we see between these two dictionaries so far are safety, both percieved and actual, and the institutions, devices, measures, and people that provide it. This seems to be the basic definition everyone has formulated in their minds, but as to what this safety is from, well, that is where things get interesting.

When most people think of home or business security, they think of a few very specific threats. Burglary, shoplifting, maybe hackers if they are technologically adept. Financial security may come up, but as we are concerned with the duties of a security professional, this isn't really applicable. What most people don't realize is applicable is damage prevention. Emergency procedures. Fire and flood protection for personnel, data, and property. A good security system will include not only burglar alarms, but smoke alarms and carbon monoxide detectors. A good security officer will not just manage a security force, but will also develop emergency procedures, actively combat potential workplace violence, and accident prevention.

You see, in many ways, fires, floods, and clumsyness are more of a threat to a business than burglars will ever be. According to OSHA, in 2004 there were 4,257,300 nonfatal accidents in private industry, and 5,764 fatal ones. This doesn't include fires, floods, and other disasters. While a shoplifter will make off with maybe a few hundred dollars of goods, a dead employee represents the loss of thousands of dollars worth of training and experiance. And oh yeah, SOMEONE IS DEAD!!

Also, while most people believe that security devices and forces are intended to defend from exterior threats, the truth is that employee theft is the chief threat watched for by most security professionals. Interior threats are always more dangerous that outside threats. Employees have more opportunity, better access, and tend to think they have a better chance of success. Even in prisons, most of the technological and design features are meant to protect the prisoners from the guards, not to keep the inmates contained, as most people think.

Obviously, the average person's view of security does not realistically encompass the threats posed to a company. Luckily, most companies are well aware of what the threats to their bottomline are. Most of the job functions described so far are covered by security professionals all over the world, and much more. In fact, in many companies, the head of security has been elevated to an executive position (Chief Security Officer, or CSO) to reflect the importance of their responsiblities. This position will also take an active role in hiring procedures, loss prevention, and network security.

In light of this, I think its important that any definition of security also include a description of what the safety is from, if only to bring non-human threats to people's attention. Things like fires and power outages are actually rather mundane if they are prepared for. If they catch a company unaware, however, they can be devestating. In my eyes, security as a field is the practice of protecting people and assets from malicious individuals, human error, and inhuman disruptions, both natural and unnatural.


powered by performancing firefox

Sunday, July 23, 2006

A Brief Description of Homeland Security

The Department of Homeland Security has been a popular topic of discussion since its inception, but few people actually know exactly what it is, what powers it has, and what its responsabilities are. I thought I would clear things up to the best of my ability, and learn a little bit about it myself. As resources I have used Introduction to Security Seventh Edition by Rober J. Fischer and Gion Green, the Department of Homeland Security's website, as well as the ever popular Wikipedia.

As most of you know, the Department of Homeland Security was created in response to the attack of September 11th, 2001. It is a cabinet level agency, similar to the Department of Defense or Department of Treasury, which combines 22 federal agencies, making its creation the largest reorganization fo the United States Government since the Department of Defense was created in 1947. It is the third largest cabinet department of the federal goverment, behind only the Department of Defense and the Department of Veterans Affairs.

The predecessor of the DHS was the Office of Homeland Security, which President George W. Bush announced on September 20, 2001. Headed by Governor Tom Ridge as Assistant to teh President for Homeland Security, the mission of the Office as announced was to "develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks. The Office will coordinate the executive branch's efforts to detect, prepare for, prevent, protect against, respond to, and recover from terrorist attacks within the United States.

Probably the most well-known action of the Office was the creation of the Homeland Security Advisory System, the famous (or infamous) color coordinated system for providing a "comprehensive and effective means to disseminate information regarding the risk of terrorist acts to Federal, State, and local authorities and to the American people". Unveiled March 12, 2002, the system consists of 5 threat levels that theoretically reflect the probabability and severity of a terrorist attack and trigger specific, predetermined responses by various governmental agencies and organizations. These actions are not necessarily revealed to the general population, and some, such as forced searches or automobiles near airports, may violate Fourth Amendment rights, although no court has yet ruled on a specific search to date. This system has been the target of harsh criticism, ranging from the mundane and humorous (the colors are not in correct sequence according to the spectrum of visible light) to the serious and troubling (criteria for changing levels have never been disclosed, the system instills fear in the public without proscribing courses of action). It is also important to not that, while it is a 5 level system, only the yellow and orange levels have ever been used.

On November 25, 2002, Congress passed the Homeland Security Act of 2002, which created both the DHS and the White House Homeland Security Council, and gave federal law enforcement agencies incredible powers to monitor citizens. These organizations merged with the OHS in January of 2003.

According to the Homeland Security Act of 2002, the Mission of the Department of Homeland Security is to:
1)Prevent Terrorist Attacks within the United States
2)Reduce the vulerability of the United States to terrorism; and
3)Minimize the damage, and assist in the recovery, from terrorist attacks that do occur within the United States.

In this respect, they have been successful, as there have been no terrorist attacks against the US since the Department's inception, although many believe that this may be a result of other factors (i.e. war in Iraq, terrorism being harder than most people think, etc.)

To see the organizational chart of the DHS, click here, and to read about the individual components and directorates, click here.


powered by performancing firefox

Introduction

Welcome to UMR Security Geek! I am an interdisciplinary engineering student at the University of Missouri-Rolla with a passion for security. I am currently interning with Baker's Footwear Group developing CCTV systems for their stores (although I am quiting at the end of the week). I have been awarded a research grant by my school to prototype and develop a new lock system, and serve as a Senior Resident Assistant. I have also started two business plans for after I graduate; one is for a software company that will develop a software suite aimed at the security professional, the other is a security consulting and engineering firm.

The purpose of this site is for me to share my passion for security with the world. Posts will include lessons on the history of the security field, editorial articles concerning security subjects, book reviews, links to interesting articles, and general ranting. Comments are highly encouraged; feedback helps me learn, and I love answering questions.