Why Dumpster Dive when I can pwn right in?

Presented at DerbyCon 3.0 All in the Family (2013), Sept. 29, 2013, 2 p.m. (50 minutes)

Securing access to buildings, internal access points, and assets is typically handled by a corporate security group outside of IT and assumed to be secure. However, the process for evaluating technology that is implemented at the door is typically very different than how IT selects vendors, and the criteria for doing so far more relaxed. The result, is that many of the access points that are required to be secure, such as data centers, executive offices, R&D labs, dispensaries, even the front door, are more times than not fairly simple to subvert – and look like an authorized user while doing so. IT Executives and InfoSec professionals have been relying on colleagues to execute security that meets their expectations has mostly failed them and largely remains to be identified, remediated, or even understood. Even the auditors who have signed off in various compliance areas (Such as PCI for a data center protection) are unaware. Gaining physical entry, going undetected, and taking possession is far more simple than most assume and metrics for proper assessment are seldom assessed jointly with the stakeholders that depend on them. This session will discuss how physical security access control generally operates, from system infrastructure to credentialing and authentication. It will focus on understanding the general technology, its glaring flaws and how it can be repeatedly subverted across a corporate facility. By going through a demonstration, discussing best practices for remediation, and an opportunity for Q&A, the audience should be equipped to understand the risks in their environment and take action to interact with their colleagues in a meaningful way to begin to address the security gaps that have long been ignored. Additionally, we will overview advanced credentialing concepts that bleed into IT such as secure elements chips, cryptographic keys and contactless approaches that can be leveraged to suit both IT and Physical Access future requirements.

Presenters:

  • Terry Gold
    Terry Gold is the founder of IDanalyst LLC, an independent research and advisory firm specializing in identity, authentication and access control covering both physical and IT security. His firm was founded on the principal of vendor neutrality while helping corporate organizations to become more secure, aware, and in control of their security strategy in these areas since there were few sources of reliable, independent, and in depth research in these areas. Mr. Gold has built a worldwide reputation as a specialist, and has assisted some of the largest and most branded companies in the world with exploring, drafting and implementing smart strategies for physical access, IT Security and convergence leveraging smart cards, RFID and PKI. Most recently, he was Vice President of Cloud Identity for idOnDemand where he established their leadership as well as the first such solution in the SaaS market. Prior, he was with ActivIdentity, a leader in the credential management infrastructure space, and several other companies such as Bioscrypt, Novell, and SilverStream where he specialized in biometric authentication, Identity Management, and Enterprise Application Integration respectively.

Links:

Similar Presentations: