PINs Matter

scramblepad

Hirsch Scramblepad

When working with a client once, they asked us to help harden their biological research labs by recommending additional security measures they could install. We did an initial and very casual walkthrough with them of the labs and how they were used. They were particularly proud of the Hirsch Scramblepads they had installed for access controlled doors. For those unfamiliar with these, they are an ingenious type of PIN pad where the numbers change each time you begin to enter your PIN sequence. This way, someone cannot peek merely at where your fingers were and assume that if you were at the bottom right of the pad, it was a 9. Anyway, they were (and still are in some circles) the Cadillac of PIN pads for access control.

As we began interviewing some of the lab staff, we asked how well they liked the keypads and how they were used. Most responded that they felt the keypads worked very well and were kind of “Star Wars” like because of their technology. We soon learned however, that the PINs used were 4 digit pins, and that there were a couple of hundred people who had access to these labs. To make it worse, departmental policy was that the individual was allowed to select their own PIN.  Yikes.

So, I promptly walked up to a PIN pad, and entered “1234”.

“Click”.  The door opened.

Okay, “1379”.  “Click”.

Yep.  Hmmm, one more, “2468”.  “Click”.   Okay, I see the biggest problem…

The good news, is it was a cheap fix.  That doesn’t mean easy, it was just cheap.  The long term fix was to add card access with CARD+PIN readers to enhance security; but in the mean time, we just increased the number of digits in the PIN, and assigned the PINs to the staff instead of letting them pick their own.  That’s why it wasn’t easy.  Some of the staff complained because now they had to learn a new PIN, and sometimes they forgot it, locking themselves out of the lab until they could remember it or get it reset.   Memorizing a new number (don’t we have enough numbers, passwords, etc. to learn already?!) is not fun and shouldn’t be necessary just to get into work.

Reading this now, this all probably seems like common sense to you, and it is.  It’s just that sometimes common sense isn’t used in practical applications the way we would always expect.  Security is a hassle, an inconvenience.  So, someone decided to make it easier on people and let them pick their own PIN.   This is were Security Policy and Procedures come into play.  They should be developed, implemented, maintained, and tested.  Had a proper policy been conceived and applied to the issuance of access control PINs, our job wouldn’t have been so easy.

PINs Matter

Just like passwords, a weak PIN is worse than NO PIN at all, because it gives you a false sense of security when there really is none.  If you still use only PINs, pick unique PIN of at least 8 digits, and ensure that they are unique for each user.  But better still, couple a PIN with an additional level of access control such as card access or biometrics.  After all, two levels of security are always better than one.

 

 

Posted in: Access Control, Security Technology

Leave a Comment (0) →

Analog to IP Camera Technology Migration

In a recent project, PR was contracted to assist a client in the migration of a multi-campus, traditional analog closed circuit TV system to a modern IP digital network based camera and recording system. This is a growing trend in the industry as clients realize the benefits not only increased camera resolution and recording capabilities, but also leveraging corporate infrastructure costs to reduce the overall total cost of ownership for their company.

It goes like this:

Traditional CCTV systems use analog NTSC (or PAL in some countries) cameras which connect via coaxial cable or fiber optic cable to an analog recording device, matrix switcher, and/or monitor. Sometimes the recorders are digital video recorders, but there are still alot of VCRs out there recording to plain old VHS tape. All of the equipment is still using or manipulating an analog video signal in some way.

The conversion requires new field devices, new infrastructure, new recording equipment, and new monitoring equipment. It can be expensive to install. However, the paybacks are big. With the advent of megapixel IP cameras, it is now possible to get very high resolution images that can be recorded and monitored anywhere your corporate network can go, and beyond. Factor in digital PTZ technology that allows for continuous monitoring of 360° from a single camera in high resolution, and you can now replace multiple cameras with only one. There are some limitations however, as outdoor PTZ cameras in parking lots or on poles aren’t necessarily good applications for IP PTZ cameras just yet. But eventually technology will catch up.

Hybrid compromises are available too, where analog cameras can be converted to IP encoded H.264 streams and sent to network video recorders (NVR) which record network video streams. The resolution is only as good as the analog camera (usually no more than about 500 lines, or 704 x 480 resolution). This pales in comparison to 1080p cameras or even higher resolution megapixel cameras on the market today, but it is a good way to leverage some legacy hardware with new recording and transmission technology.

The biggest advantage of digital IP video is the flexibility it affords. Need to move a video stream to a different recorder? Just change the IP settings. Need to monitor the video in multiple locations? Just pull down multiple streams from different PC workstations. Need to move the monitoring to a remote location or disaster recovery site? No problem, just connected to the video servers from the alternate location. All of these features were MUCH more difficult with legacy analog video.

In short, digital IP camera technology affords a suite of new and enhanced features that give security operations response and investigation tools that previously were nonexistent or too expensive to implement. There is a cost to this technology, but the power and flexibility is well worth the price.

Posted in: Security Technology

Leave a Comment (0) →

PR Invited to Participate in State and Local Fire Marshal Policy Meeting

Meeting with North Carolina state and local fire marshals, Protective Resources has been invited to participate in a discussion of how the State and local code officials are going to be educated/trained in the new requirements for fire alarm system communications to comply with the 2010 and 2013 Fire Alarm Code. These new requirements are complex and will require the code officials to have a better understanding of data networks, Internet Service Providers, and Voice Over IP communication services.

Posted in: Company News

Leave a Comment (0) →
Page 4 of 4 1234