Get Into Access: Back Doors and Magic Words
Access control is a wonderful thing. I can design a system to protect my assets. I decide WHO I want to have access to my facility, and I can have that access list enforced. I can spend lots of money for system design, and for the systems components, and for system installation. I can use cards, biometrics, tags and a variety of options to control who is allowed access into my building.
So how are unauthorized people getting in?
As we build access systems, “secret back doors” are typically designed in. While this is common in computer programs, the same techniques exist in ID and access control systems. Why is there a back door? Convenience. Ease of access for maintenance and security. The problem is that secret back door access isn’t secret. Once someone gets the knowledge, they seem eager to share.
Fast informationTen years ago, if you were 16 years old and wanted to know how to build a bomb, there were limited resources available to you. The best source of information would be The Anarchist Cookbook, or a similar publication. Today, you simply have to type “make a bomb” into Google, and millions of pages will return. You get instructions on how to make a bomb in less than a second.
I bring up the Internet and Google because the same issues apply to all aspects of security. There are a number of Internet sites that post information on how to beat security systems, bypass alarms and pick locks. I’ve looked at these sites, and while some of the material is interesting, even entertaining, a little bit of it is information that works. It can be difficult to sort through what is real, and what is conjecture or just plain wrong.
One of the more dangerous items to be shared or exposed on the Internet is the existence of “magic words.” Magic words, not the abracadabra of magicians, but specific access codes or phrases that will get you access to a facility are finding their way into the public. Many facilities use access codes to gain access to the property. While each employee or tenant has a different code, many of these complexes have a single code that will open the gate in an emergency. The code is intended for police, fire and EMS, but it usually doesn’t take long for some folks to get the code as well.
In this time of limited and secure access to our military facilities, one base in particular controls access through a main gate, yet anyone who wishes to visit the museum located on the base is allowed access. Again, the magic words “I’m going to visit the museum” open the doors, and the access policies are ignored.
Where’s the badge?Occasionally, the magic words are “I left my badge at home.” In many companies, there is a lag between when someone is terminated, and when their badge access is terminated. Often, human resources handles hiring and firing, while security handles access badges. Security typically will not issue a badge until authorized to do so by HR. Following the same policy, security typically does not terminate access until notified by HR.
These access issues are usually covered by a policy. The policy often includes a procedure for issuing a new or temporary badge to employees who have forgotten their badge. A general corporate policy to strive for is the concept of “zero-in/zero-out.” Zero-in means that the day a new employee starts, he should have everything he needs to work. This includes a computer, Internet access, an email account, a credit card and all system access codes necessary to work. The concept is simple, the day a person shows up for work, he should have everything he needs to be productive. Zero-out is the important piece for the security side of the house. Zero-out simply means that the day a person leaves, whether through termination, retirement or simply resigning, that person’s access to the facility and all other company assets should terminate. The list includes everything on the zero-in list, especially building and computer system access. In order to be effective, zero-out should be corporate policy regardless of the reason for separation.
It doesn’t stop there. A FORTUNE 500 company that I audited had a very good access control program. They had very specific rules about access and ID badges; however maintenance staff often used fire doors and other doors not integrated to the access control system to take shortcuts through the building. The security staff was guilty of using the same doors for the same reasons. It was convenient, but it violated every access policy the company had. What happened? Nothing. It was convenient to operate this way, so it was overlooked.
In order to work, ID systems and policies must be reasonable for the circumstances. Different facilities will warrant different levels of security, and they must be consistently enforced to everyone, from the CEO to the hourly worker. Even security and maintenance staff must follow the rules. Information must flow quickly between security and other involved parties.