Find news and information for the executive corporate security director, CSO, facility manager and assets protection manager on issues of policy, products, incidents, risk management, threat assessments and preparedness.
Issue link: http://sdi.epubxp.com/i/835749
34 Security Dealer & Integrator / www.SecurityInfoWatch.com June 2017 targeted data. By using the physical access control system, hackers can potentially steal sensitive data. is actually happened to Austrian hotel Romantik Seehotel Jaegerwirth – according to news reports, the hotel was hit by a ransomware attack in Jan- uary in which hackers took over the access control system on guest rooms, reportedly preventing the hotels from issuing keycards or re-keying the room locks themselves. e hotel was forced to pay ransom in Bitcoin to regain control of the system (see www.nytimes.com/2017/01/30/world/ europe/hotel-austria-bitcoin-ransom. html for more). If that is not enough reason to encrypt data, the Federal Trade Commission (FTC) recently decided it will hold the businesses commu- nity responsible for failing to imple- ment good cybersecurity practices and is now filing lawsuits against those that do not. The Building Blocks ere are three major elements to access control system encryption: Authentication: Determining whether someone is, in fact, who they say they are. Credentials are compared to those on file in a database. If the credentials match, the process is com- pleted and the user is granted access. Privileges and preferences granted for the authorized account depend on the user's permissions, which are either stored locally or on the authentication server. e settings are defined by an administrator. For example, multifac- tor authentication – using a card plus keypad – has become commonplace for system logins and transactions within higher security environments. Integrity: is ensures that digi- tal information is uncorrupted and can only be accessed or modified by those authorized to do so. To maintain integrity, data must not be changed in transit; therefore, steps must be taken to ensure that data cannot be altered by an unauthorized person or pro- gram. Should data become corrupted, backups or redundancies must be available to restore the affected data to its correct state. Measures must also be taken to con- trol the physical environment of net- worked terminals and servers because data consistency, accuracy and trust- worthiness can also be threatened by environmental hazards such as heat, dust or electrical problems. Transmis- sion media – such as cables and con- nectors – should also be protected to ensure that they cannot be tapped; and hardware and storage media must be protected from power surges, electro- static discharges and magnetism. Non-repudiation: is declares that a user cannot deny the authentic- ity of their signature on a document or the sending of a message that they originated. A digital signature – a mathematical technique used to vali- date the authenticity and integrity of a message, soware or digital docu- ment – is used not only to ensure that a message or document has been elec- tronically signed by the person, but also to ensure that a person cannot later deny that they furnished it, since a digital signature can only be created by one person. How Access Control Encryption Works A number is encrypted using an algorithm and a key, which generates ciphertext that can only be viewed in its original form if decrypted with the correct key. Today's encryption algorithms are divided into two cat- egories: symmetric (private) and asymmetric (public). Most cryptographic processes use symmetric encryption to encrypt data transmissions but use asym- metric encryption to encrypt and exchange the secret key. Symmetric encryption, or private key encryp- tion, uses the same private key for both encryption and decryption. e risk here is that if either party loses the key or the key is intercepted, the system is broken and messages can- not be exchanged securely. Asymmetric cryptography, also known as public key infrastructure (PKI), uses two different but mathe- matically linked keys – one key is pri- vate and the other is public. Either key can be used for encryption or decryp- tion depending on the desired opera- tion. When one key is used to encrypt, the related key can be used to decrypt. e public portion of the key can be made available for other users to eas- An Austrian hotel was hit by a ransomware attack in January in which hackers took over the access control system on guest rooms – reportedly preventing the hotels from issuing keycards or re-keying the room locks themselves. Access Control