electronic access control

Dual Technology Credentials

/in , /by

By Ryan Kaullen, Field Services Manager at Kenton Brothers

Dual Technology CredentialsAccess Control has been around for a few decades now, and during that time the technology has evolved. A lot of customers have older access control equipment and can’t afford to change out equipment every time technology and security solutions change. What are ways that a company can increase security but not have to change out everything all at once? How can they avoid impacting large portions of the their current access control solution? One way is by using Dual Technology Credentials.

Proximity Technology

The industry standard at the beginning of development of access control solutions was called proximity technology.

Proximity is a non-encrypted technology. As technology has advanced, and those who wish to hack or break through the security have advanced, the industry adapted. More advanced types of technology were required to combat those new threats. These advanced defenses include solutions like multi technology, new readers with encryption, advanced card formats, and more.

This is where Dual Technology Credentials come into play.

Changing your credential to dual technology allows you to use older technology readers along with the newer options. All while enjoying the benefits of having an encrypted credential for higher security.

Over time, you will be able to upgrade your readers to a newer type of encrypted reader. (In other words, spreading out the investment timeline for doing the reader upgrades.) You will still be able to use your dual technology credentials, but once all the readers have been updated, you can switch from a dual technology credential to an encrypted credential. This will lower the cost of your credentials moving forward while still keeping the correct standard of credential security.

Individuals who intend to cause harm to a location often try to go for the low hanging fruit… which includes access control credentials. A repeater is used to try and reveal the card or FOB’s credentials. This allows them to re-create the card and allow entry. This is where dual technology credentials can really make a difference.

If you are interested in learning more about Dual Technology Credentials, please contact us and we would be happy to see where we can help heighten security and protect your people, property, and possessions.

Credential Technologies: You may not be as protected as you think

/in , /by

By Neal Bellamy, IT Director at Kenton Brothers

Credential TechnologiesToday, I want to talk about credential technology. While not an extremely exciting topic, it can be, and often is the weakest link in many organization’s access control system. Remember that an attacker doesn’t need to get through every defense in your system, most often they just need to get past the weakest one (or two).

Let’s start with how cards and readers work.

Any RFID reader, including the ones used for access control, puts out an electromagnetic field around the reader. This field is usually measured in inches, but in special readers like a Nedap long-range reader, fields can be measured in feet.

When a credential (card, fob, wristband, sticker, etc.) passes through the field, it electrifies the antenna giving the chip on the credential enough electricity to transmit the data stored on the chip. Most often the data that is stored is the “Card number”. I put it in quotes because that “Card number” could be many things.

Next, we need to talk about card numbers or more specifically card formats.

Unfortunately, most card formats are simple and relatively easy to guess. The most common card formation is 26 bits in length. HID calls this H10301. The first 8 bits designate the facility code and the next 16 bits designate the card number itself. The facility code is a way to group the cards together and in theory, verify that the card belongs to the access control system.

The low bit count means that there are only 256 possible facility codes and 65,535 card numbers. For those people paying attention to the details, the extra 2 bits are used for error checking.

Most people start with card number 1 and work their way up. There are other card formats like 33-bit, 37-bit, 40-bit, and so on. Each increases the possible facility code and card number options. The important takeaway is that once an attacker has the card format, facility code, and card number of a person who has access, they can gain access to your facility.

Encryption

Like most things in commercial security, encryption is a way to combat the wrong people seeing the real card number. Encryption and card formats are independent of each other. You can have a 26-bit card that uses encryption and a 26-bit card that does not use encryption. That is based on the card technology.

Card technology like Prox and Indala are not encrypted. This means that almost any card reader can read the actual card format, facility code, and card number, it just has to get close enough to a card that has access.

Some technologies are encrypted but have already been cracked. Examples of these are Mifare Classic, HID iclass Classic, etc. Because the technology is already cracked, there are several ways of reading the encrypted data, and then applying the workaround to get to the actual card data again. Using a cracked technology is better than unencrypted, but it is still not advised.

Some technologies are not yet cracked like Mifare EV3 and HID iclass SEOS.

Encryption Usage

Credential TechnologiesWhen an encrypted technology is in use, both the card and reader must be using the same set of keys. Public/Private key is a long topic, but effectively a matching pair of keys are used to encrypt and decrypt data. (More information here.)

This means that readers and credentials are matched for the different manufacturers. If you are using HID readers, you almost always need to use HID credentials. Even with an encrypted, uncracked, card technology, the most commonly sold readers and credentials use the same key pair across all readers and credentials. This means that anyone can buy the latest HID reader to read almost every HID card ever sold.

There are special programs where a business can “own” its own set of keys. Another option is to use a system that generates a unique key and then can use that key to encrypt the cards specifically for a given system like Gallagher.

I know this was a lot of information, so let’s distill it a bit.

First, make sure you are using encrypted card technology.

Second, use the latest technology when you are using encryption. This will be based on the card readers you are using.

Finally, if at all possible, own your public/private keys. Sign up for a unique key system like Corporate 1000, or use a system like Gallagher to generate a unique key for your system.

If you have more questions or need help with your current/future commercial security solution, please give us a call.

CPTED Part 3: Territorial Reinforcement and Maintenance

/in , /by

By Kevin Whaley, CPP, Sr. Security Consultant at Kenton Brothers

Welcome to Part 3 of our discussion about Crime Prevention Through Environmental Design (CPTED).

In Part 1, I introduced the concept of CPTED and the importance of ensuring CPTED principles are considered when developing or enhancing your security program. In Part 2, we dove into greater detail on the concepts of Natural Surveillance & Natural Access Control. In Part 3 of the series, we will be looking at Territorial Reinforcement and Maintenance.

As a quick recap: in the first part, we touched on the four key overlapping concepts of CPTED which include:
  1. Natural Surveillance
  2. Natural Access Control
  3. Territorial Reinforcement
  4. Maintenance
In the second installment, we went into greater detail about the in’s & out’s of Natural Surveillance & Natural Access Control such as;
  • Natural Surveillance – the placement of physical features, activities and people in a way that maximized visibility from the surrounding environment.
    • WHY? It increases the threat of apprehension by taking steps to increase the perception that people can be seen.
  • Natural Access Control – Natural access control means controlling access to a site. People are physically guided through a space by the strategic design of streets, sidewalks, building entrances, and landscaping.
    • Clearly defines entryways and guides personnel to specific entrances that are well lit and overlooked by surrounding areas.
Just as a reminder, the overall goal in the successful implementation a CPTED plan of action, we must understand that all human space:
  • Has some designated purpose.
  • Has social, cultural, legal, or physical definitions (such as expectations or regulations) that prescribe the desired and acceptable behaviors.
  • Is designed to support and control the desired and acceptable behaviors.
With that understanding in mind, our approach should focus on:
  • Manipulating the physical environment to produce behavior effects that reduce the fear and incidence of certain types of criminal acts;
  • Understanding and modifying people’s behavior in relation to their physical environment
  • Redesigning space or using it differently to encourage desirable behaviors and discourage illegitimate activities; and
  • Reducing the conflicts between incompatible building users and building uses, with the goal of eliminating “no person’s land” that no one takes ownership of.

There are various controls that can be implemented that can supplement or support the approaches listed above.

CPTED Part 3: Territorial Reinforcement and Maintenance

Territorial Reinforcement and Maintenance of your CPTED program.

Territorial Reinforcement:

Territorial reinforcement involves establishing a sense of ownership and belonging in a specific space, which can be achieved through various design elements and strategies. When a space appears to be clearly defined and “owned” by a particular group or individual, it may discourage potential criminals by making them feel like trespassers or intruders and that the potential for detection is high.

Importance in CPTED: By implementing territorial reinforcement, CPTED aims to deter criminal activity by promoting the perception of active ownership and surveillance. A well-defined and cared-for area signals to potential offenders that their presence is likely to be noticed and that there is a higher risk of detection and apprehension. This may lead to a decrease in the opportunities for criminal acts to occur, as criminals tend to avoid spaces where they feel more vulnerable and exposed.

Examples of Territorial Reinforcement:
  1. Clear boundaries and property lines demarcated with fences, hedges, or other physical barriers.
  2. Well-maintained landscaping and exterior areas, indicating active use and care.
  3. Signage and symbols that represent community ownership or surveillance, such as neighborhood watch signs.
CPTED Part 3: Territorial Reinforcement and MaintenanceThese examples of territorial reinforcement can (and should be) enhanced with other physical security measures including but not limited to:
  1. Surveillance cameras
  2. Speakers with pre-recorded messages stating that the person is being watched or that authorities have been called.
  3. Sufficient illumination
  4. Security officers
  5. Access Controls
  6. Active/Passive intrusion sensors

However, no matter how advanced or intricate your CPTED program is, it can deteriorate and become obsolete without proper care and maintenance.

CPTED Maintenance:

CPTED maintenance involves sustaining a sense of ownership and control over a space through ongoing upkeep and community involvement. Neglected or poorly maintained areas can attract criminal activity as they signal a lack of guardianship and a reduced risk of detection.

Importance in CPTED: Regular maintenance of public and private spaces is critical to the success of CPTED. Well-maintained environments foster a sense of pride, ownership, and responsibility among community members. It reinforces the idea that residents are actively invested in their surroundings and are vigilant against criminal behavior. This collective effort makes it less attractive for criminals to target such areas, as they are more likely to be noticed and reported by the community.

Examples of Territorial Maintenance:
  • Prompt repair of broken windows, damaged fences, or graffiti.
  • Adequate lighting to ensure visibility and reduce hiding spots.
  • Community engagement and participation in the upkeep of shared spaces.

CPTED Part 3: Territorial Reinforcement and Maintenance

 

The image to the right is an example of POOR CPTED maintenance. As you can see, the vegetation is growing through the fence line, damaging it significantly and there are various areas where intruders have cut and recut through the fence line. The lack of prompt repair, landscaping maintenance, and lack of illumination, make this industrial facility a tempting target.

In conclusion, territorial reinforcement and maintenance are essential components of Crime Prevention Through Environmental Design. By creating a sense of ownership and responsibility within a community and ensuring that spaces are well-cared for, CPTED aims to discourage criminal activity and promote a safer environment for residents and visitors alike. These proactive measures empower communities to take control of their surroundings and play an active role in crime prevention.

I hope you will watch out for the final installment where we will review the concepts we’ve discussed and how they all can be tied together.

Have more questions about CPTED or would like an assessment? Give us a call at 816-842-3700 and our board certified security professionals will get you taken care of!

Chain of Custody in Commercial Security

/in , , /by

Chain of CustodyBy Ryan Kaullen, Field Services Manager at Kenton Brothers

Many of you know that our goal is to protect people, property, and possessions. Something that comes up related to this goal is Chain of Custody.

You may be wondering what Kenton Brothers has to do with Chain of Custody and how we would be involved. Unfortunately, part of the work we do in the commercial security industry is capturing evidence. This evidence comes in many forms. Evidence may include video surveillance recordings, security system audit trails and more. We capture this information to help protect companies from theft, fraud, and work place incidents. There are plenty of scenarios that result in law enforcement being involved.

What is Chain of Custody?

Chain of Custody is the documentation of chronological events related to an incident. Protection of how the evidence is handled, who handles it and more matters. The idea is that law enforcement needs to be able to review and use video and other forms of documentation as evidence in a trial or hearing.

A Recent Example for a Banking Client

Chain of CustodyWe recently received a Chain of Custody request from one of our banking clients. They had an event that they deemed legally significant and requested our help in documenting what had happened. They needed our help to get the video segments exported properly. They wanted footage from all of the cameras at one of their locations over the past 30 days. (That’s a good amount of video data!)

Our first step was to download the footage locally to external hard drives. The video data had to have password encryption. And the video footage had to be time stamped. We also had to fill out Chain of Custody paperwork.

On top of those requirements, the equipment and external drives couldn’t be left unsecured while we were downloading the video segments. We also had to be in an access-controlled room for audit purposes. It was crucial that we followed every step correctly to make sure their case against the accused is rock solid. We had to make sure the evidence we helped provide would not get thrown out due to Chain of Custody problems.

Once the video had been downloaded onto the drives, our technician had to hand deliver the hard drives to the bank’s lawyer and provide the Chain of Custody paperwork.

We Take Chain of Custody Seriously

Chain of CustodyChain of Custody is something Kenton Brothers takes extremely seriously for many reasons. One, we want to make sure we are providing our customers with a level of service and reliability they can count on. We also want to make sure law enforcement has what they need to support or refute claims. This is also a great example of how the commercial security systems we sell and support do what they’re supposed to do.

The reality is that you hope you never have to use footage, audits, etc. against someone working for you or coming in to your place of business. But when something does happen, you want to make sure you have the right systems in place to protect the people, property, and possessions of those who work there.

To learn more about how Kenton Brothers Systems for Security can protect you and your business, please give us a call.

Don’t let a secret tunnel topple your castle. OSDP encryption is crucial to your commercial security.

/in , /by

By Neal Bellamy, IT Director at Kenton Brothers

Open Supervised Device Protocol - OSDPAs in all security, it only takes one weak link to bring the whole castle down. You can have the best moat, the best turrets, and the best drawbridge. But if there was a secret, unguarded passage and the enemy discovered it, it could certainly lead to your demise. In the commercial access control world, the Weigand Protocol is that un-guarded secret passage.

The Weigand Protocol

The Weigand protocol has been used since the 1980s and is named after the Weigand Effect. The Weigand protocol is used to detect the 1’s and 0’s sent from a commercial security reader to the access control panel. (To be clear, there are two separate transmissions that happen when you present a card to a reader.)

The first communication is from the card to the reader itself. This transmission can be protected by the card technology being used. Both the card and the reader have to have the same technology to be compatible. iClass®, Mifare®, and Felica® are examples of card technology where the transmission is encrypted between the card and reader. Proximity is another type of card technology, but the transmission is not encrypted

The second transmission is from the reader to the door controller. With very few exceptions, the Weigand protocol has been the method to support this transmission. If you have an encrypted card technology (and you should) it’s like encoding a message with the Enigma machine, then translating back to plain German and sending the un-encrypted message on horseback to its next location. If the courier gets intercepted while the message is unencrypted… all of that amazing security of the message has been wasted. If someone could change the message without you knowing, you might even make the wrong decision. You might think this is CIA/MI5 material, but it is way more accessible than you think.

Enter the $25 Weigand interface.

Weigand InterfaceIf you look online, you can find a board that can be installed between a reader and control panel that will intercept and log every access card being used. The board is smaller than a poker chip and can be installed behind a reader pretty easily. Once installed, it is powered by the door controller and is completely invisible to the reader and access control system. The attacker can leave it in place for a few days or a few weeks, while it collects every card read. Then, when they are ready, they can retrieve the list of cards from the built-in Wi-Fi interface. If the attacker only needs access to get into that single door, they can even “replay” the card number from the Weigand interface back to the door controller, probably granting access. If they need access to multiple doors, they could use the information to recreate identical cards to the ones you are using.

Placing one of these Weigand interfaces at the front door of a facility could be devastating for your building security.

OSDP = Open Supervised Device Protocol

There is hope. The answer is to also encrypt communication from the reader to the panel.

Open Supervised Device Protocol (OSDP) aims to do this and more. OSDP has been an international standard since 2020 and is all about encrypted communications. It also adds bi-directional communication with readers (know when readers are offline/disconnected), allowing more than one reader on a port, etc. Over the last couple of years, board and reader manufacturers have been implementing OSDP into access control hardware. While not every manufacturer or model supports OSDP, support is growing. For most systems, OSDP can be added on a door-by-door basis. You can convert high-profile doors to OSDP while waiting to upgrade low-risk doors if your budget doesn’t support an all-or-nothing approach.

Stronger DefenseI need to mention a side note here for Gallagher. When I first encountered Gallagher security products in 2010, they were already using their HBUS technology for their readers. While Gallagher supports OSDP, the HBUS technology provides very similar benefits as OSDP like encryption, bi-directional communication, and multiple readers on a port… but HBUS has been doing it for much longer. An additional benefit with Gallagher HBUS and readers is being able to create your own card encryption key easily. This means that no other organization in the world will have a card that can be read on your Gallagher system. This is not a requirement for Gallagher, but it is super simple to do and is part of our standard procedures when installing a new Gallagher system.

Transmitting card numbers from the reader to your access control panels might be the chink in your access control’s armor. As part of our security standard, KB will make sure you are using encrypted communication from the card all the way to the access control system.

If you need help evaluating the next steps in your access control setup or how to get started on the right foot, let us know! Just give us a call and we will be happy to help.