Community

Zero Trust

The term “zero trust” was first used to describe a security model based on the principle of “never trust, always verify.” Over the last 15 years, IT professionals have embraced this model to never trust a user or device on the network by default, even if that user or device is already inside the network. This strategy ensures that every access request is validated.

Zero Trust Read More »

Replacing Low Assurance Credentials

Are you issuing a low assurance credentials in a high assurance access control environment? Examples of low assurance credentials are low security access cards like Prox, iClass, SEOS and MiFare Classic/Desfire.  What do you do for students, interns, and short-term employees who may only be on-site for 90 days but will not receive their PIV card until near the end of their time? What about long term contractors or employees who may not be eligible for a PIV card? Visitor badges are intended for short term use, but we know facilities are making exceptions and by doing so taking a big security risk. You can issue all of those people a high assurance credential controlled in your environment instead of taking that risk.

Replacing Low Assurance Credentials Read More »

HID “Keys to the kingdom” exposed at DEFCON 32

At the recent DEFCON 32 convention in Las Vegas, an interesting presentation (High Intensity Deconstruction: Chronicles of a Cryptographic Heist) was made outlining an approach to “stealing” the keys from certain HID encoders for the iCLASS SE platform.  While much of the talk goes way over my head, it seems like the standard keys for ICLASS SE & SEOS are vulnerable to the approach outlined.

HID “Keys to the kingdom” exposed at DEFCON 32 Read More »

Physical and Logical Convergence through Design

The Cybersecurity Infrastructure Security Agency (CISA) released guidance on the topic of Convergence for federal agencies in 2019. Physical Security and IT departments are increasingly recognizing the reality of converged threats. The traditional separation between these two domains has often led to isolated management of vulnerabilities, which might seem manageable on their own. However, when malicious attacks or simple oversights bridge these gaps, the risks can escalate dramatically.

Physical and Logical Convergence through Design Read More »

NIST Revises SP 800-73 and SP 800-78

Next month will mark the 20th anniversary of President Bush signing into law Homeland Security Presidential Directive-12 (HSPD-12) on August 27, 2004. The directive transformed identity management for federal employees and introduced the Personal Identity Verification (PIV) credential.   A few years later FIPS-201-1 was established to meet the security and inoperability goals of HSPD-12.

NIST Revises SP 800-73 and SP 800-78 Read More »