Basic Alarm System Best Practices

An intrusion detection system (IDS) system should be an integral part of your home security plan. IDSs are detective security measures that also have a great deal of deterring value. Alarms are far more complicated than most people realize, however. To provide the maximum intended effectiveness, alarms must be carefully installed, tested, and used. These alarm system best practices will help you assess your own system or provide some guidance if having a new one installed.

Alarm system best practices
Alarm system panels should not be visible from the exterior of the home where an attacker can tell if the system is armed or not.   This is one of the most basic alarm system best practices.
  1. Sensors. Sensors are obviously an important part of an alarm system. Sensors detect a change in state (open/closed, motion/no motion, etc.). There are two basic categories of sensors: point and volumetric. Point sensors are those sensors that monitor a specific point like a single door or window. Best practices for point sensors are simple: each door and window should be equipped with a point sensor, even on the second floor. A point sensor on a door should not allow it to open more than its own width without violating the sensor. Windows should not be able to be opened more than four inches without violating their sensors.

Volumetric sensors monitor an area rather than a single point. The passive infrared (PIR) motion sensors used in most residential applications fall into this category.  So do sonic glass-break sensors. Best practices for volumetric sensors are: cover all large spaces (including attached garages), areas with multiple entry points, and any access to stairs. Volumetric motion sensors should be equipped with masking detection (the sensor alarms if something is placed in front of it to blocks its field of “view”). Volumetric sensors should also have anti-tamper switches that alarm when the cover of the sensor is removed, or the sensor itself is removed from the wall. Finally, the LEDs on volumetric sensors should be turned OFF. Though these LEDs give you confidence that your system is on and working, they also allow anyone with access to “walk test” your sensors and locate any dead areas in the coverage.

Sensors may be hardwired into your system (actual wires running between the sensor and control unit) or they may be wireless. While I generally prefer hardwired sensors to wireless ones, wireless sensors are much easier and more inexpensive to install post-construction. Wireless sensors have the disadvantage of being battery powered, and their signals may be detected and interered with. If I were building a new home I would hardwire all of my sensors, but practicality usually dictates a few wireless sensors when upgrading an existing system.

  1. Keypad. Control of the alarm panel keypad is, unsurprisingly, very important. Your alarm panel should be in a location that does not allow visual access from outside the home. This can allow an intruder to tell whether your alarm is armed or not (a bad situation if the alarm is unarmed). It also allows someone to see the make and model of alarm panel you have, potentially allowing them to research vulnerabilities such as default codes for the panel. Finally, though unlikely an intruder could potentially observe you inputting your code. If your alarm panel has a covered keypad, the cover should always remain closed. Otherwise it may be possible to observe wear patterns or dirt on the keys that could indicate which numbers are in the code, significantly narrowing down the possibilities.
  1. Codes: Your alarm system should allow at least two types of code: a standard use code (the code you use every day to arm and disarm your system) and a duress code. Duress codes are one of the most commonly overlooked alarm system best practices.  A duress code is a code that you can use under duress, i.e. if an intruder forces you to disarm your system.   The duress code should alert the alarm monitoring station that you are under in an in-extremis situation.  The monitoring agency should immediately dispatch law enforcement without even a phone call to you; everything should appear perfectly normal to the intruder.

Monitored alarm systems will also typically have a phone password that the operator will request when calling you after your system goes into alarm. Unlike a password this should be a pronounceable word that you can easily remember but it should not be something that is personally relatable to or easily researchable about you. Both of these codes and the phone password should be well known to all of your family members. They should be treated as secret and protected exactly like other PINs, passwords, and codes. They should also be changed immediately if you experience a change in situation, such as a roommate or romantic partner moving out; otherwise they should be changed every year or so.

  1. Arming and Disarming. If you have an alarm system you should use it, even when you are home (it is surprising how many people pay for an alarm system and arm it only rarely). There are two basic modes that most alarm systems can be set to: stay and away.   When the alarm is in Stay mode all of the point sensors will generally be active but interior motion sensors will be inactive. In this mode the system should be set to go into alarm instantly violation of a sensor; otherwise an attacker has 30-60 seconds to force you to disarm the system before it goes into alarm (in which case you should use your duress code).  Away mode activates both the point sensors and all volumetric sensors. The away mode should be armed each time you leave the home. If you have large pets you should test your system to ensure you pets will not violate the volumetric sensors.
  1. Communication Pathways and Monitoring: Communication pathways are methods used by the panel to communicate with the monitoring station. There are several types of communication pathways including standard and digital telephone lines, cellular, and TCP/IP (Internet). The best practice is to have redundant communication pathways. In most residential applications this would be a physical telephone line and a cellular connection. Each has its advantages, and if you can only have one I recommend a cellular communicator as physical lines are fairly easy to find and cut.  To ensure your alarm is working and communicating properly you should test it monthly. Be sure to call the alarm company before initiating a test so they can verify receipt of the alarm signal without dispatching emergency personnel.
  1. Power. An alarm system requires power to operate and a power interruption not disable your system. A good alarm will be equipped a backup battery; the best practice for the battery is to ensure that it will power your alarm for a minimum of 24 hours. Seventy-two would be even better, ensuring you would be covered in the event of all but the longest outages.
  1. Account Management. You must manage your alarm’s account (pay your bill) and most companies offer the standard options, mail and/or an online account. Management of you alarm’s account is very important. An attacker with access to your bill can learn important information about your system or potentially even cancel your monitoring service. If you receive your statements by mail I highly recommend sending them to your P.O. Box.  I have written before about the privacy and security benefits of a P.O. Box; in this instance it makes it much more difficult for the attacker to access your statement. If you choose to set up online account management you can opt out of paper statements (totally eliminating that vulnerability). However, you must ensure that you protect the account with a good, strong password and any other steps you can take to harden the account.

It is important to understand what an alarm can and cannot do for your security, even when you employ alarm system best practices. An alarm can be a deterrent to attackers in Level I and give pause to attackers in Levels II and II (assuming they don’t know the arm/disarm code). Just as importantly, and alarm is a detective control that will let you (and others) know if an entry is attempted against your home.  It will also alert responders, limiting the time the attacker may spend there. It is important to understand, however, that an alarm is a reactive control and does not make your home any more difficult to enter if the attacker isn’t concerned about alerting others. Even so an alarm is one more very solid layer in a layered defense, provided you use these alarm system best practices.

Attacks and Attackers, Categorized

Types of Attacks, Types of Attackers

In previous posts I have referenced two different types of attacks: opportunistic and focused. These categories apply to attacks of all kinds, physical and digital, an understanding them is important to fully understanding how to defend against them. This post will attempt to define these two types of attack and the attackers that may carry out each.  Please note that these are my own definitions and should not be considered “official”.

Types of Attacks

The types of attacks one may face fall into one of the following two categories: opportunistic and focused or targeted. These two descriptions exist on far ends of the spectrum; every attack will fall somewhere between the two.

The Opportunistic Attack: This type of attack is most common, and is not directed at you personally. Though it may feel extremely personal, especially if the attack is violent in nature, the attack is merely one of opportunity. I considered also categorizing the opportunistic attack as “random”. This attack is not truly random, however. The attacker has made an assessment (perhaps an extremely inaccurate one, perhaps not) that you or your belongings are vulnerable and upon this assessment has made a decision to attack. We can almost entirely avoid this type of attack by being a hard target. Doing so will encourage the opportunistic attacker to move on to a softer target.

The Focused/Targeted Attack: This type of attack is carried out specifically against you and is much more difficult to defend against. The focused/targeted attack will be characterized by a lengthy planning and reconnaissance period, during which time you may be under surveillance, have your perimeter probed, and test runs may occur. The true danger with a focused attack is the willingness of the attacker to adapt his or her methodology to bypass your countermeasures. The best defense against a focused, targeted attack is vigilance and a comprehensive defense-in-depth.

Attacks and Attackers

Types of Attackers

Attackers themselves are slightly more nuanced. Categorizing attackers requires attention to two specific attributes: skill level and focus (how interested the attacker is in you specifically). The combination of the two will vary, and will define the attack. The least capable attackers will lack both skill and focus, while the most capable will have ample levels of both.

Level I: An attacker at this level will possess minimal skill, minimal knowledge of his or her target, and little to no focus on a specific target. Examples of this attacker include the kid who is sniffing unsecured Wi-Fi hotspots, the guy who hopes to shoulder-surf your PIN at the ATM, or the smash-and-grab thief who notices there is no car in your driveway and all your lights are off. Defeating this category of attacker is relatively easy: make yourself a hard target by using common sense security measures. An attack by a person at this level will be an opportunistic attack.

Level II: A Level II attacker will possess either some degree of skill or some personal knowledge of you. Examples include an accomplished, skilled burglar who has cased your home or an ex-boyfriend/girlfriend who is out for revenge and has personal knowledge of you but little skill. An attack originating from someone in this category has a higher likelihood of success than an attack from a Level I attacker, and may be opportunistic or targeted/focused. Further, an attacker in this category may be easily dissuaded when encountering a significant obstacle.

Level III: Level III attackers are characterized by a combination of a decent skill level and either personal knowledge of you or the skill and patience to acquire that knowledge. Examples of this type of attacker include professional criminals, serial killers, hackers, and con men. Encounters with individuals in this category are relatively rare but the consequences are potentially dire. An attack by an individual in this category may be opportunistic or targeted, but his or her methodology will be more sophisticated. Deterring or defeating someone in this category requires much more work than Levels I and II. Upgraded security measures, constant adherence to best practices, and situational awareness are the best defense against an attacker in this category.

Level IV: Level IV attackers are known in the information security community as “advanced persistent threats”. Governments fall into this category, as do hacker groups like Anonymous and other extremely sophisticated adversaries who are specifically targeting a specific individual. The attacks perpetrated by these types are not opportunistic; they are targeting you for a specific reason. Perhaps you have angered someone, you are perceived as threat to them, or you are the subject of an investigation. An advanced persistent threat will be characterized by intense focus, extremely sophisticated techniques, the time to conduct a thorough reconnaissance, and the ability to adapt to defeat your countermeasures. The chances of facing a Level IV attacker are very small, and the chances of an Level IV attacker succeeding increase steadily over time.

The higher the level of the attacker and the more the attack trends toward targeted focus, more finesse can be expected to be employed, and time is on the side of the attacker. Unless he or she is strictly opportunistic the attacker has the luxury of time; time to probe your perimeter, learn from mistakes, and try again another day. At this point defenses become somewhat less about preventing the attack and more about making the attacker’s job more difficult and detecting his presence before, during, or after the attack.

Secure Your Physical Perimeter Part II: Protect Your Keys

Few among us give any thought to protecting our keys.  While most would recoil at the idea of giving our keys to a stranger, we hand them to valets without a second thought, leave them lying around the office, wear them visibly from belt loops, and even post pictures of them on the Internet.  A key contains a certain code that is unique to your lock, “secret” information that allows your key to open your lock and only your lock.  This information should be protected.  Leaving keys in plain sight (or worse, allowing physical access by untrusted persons) allows an attacker the opportunity to capture the information necessary to copy your key.

The Threat

First, it is important to understand the three pieces of information necessary to generate a key.  They are the key profile, the number of cuts, and the depths of each cut.  All of this information is available from the lock itself by a sufficiently skilled attacker, but the information is much more easily acquired from the key.

The key profile is the shape of the keyway into which the key is inserted.  This information is important because it dictates which key blank must be used to generate a key for that lock; if the key cannot fit into the keyway, it will not operate the lock.  There are several ways the key profile may be obtained.  First, it may simply be stamped on the key bow (the portion of the key used for turning) in the form of a code (e.g. “KW1” in the accompanying photo).  If it is not stamped it is usually fairly easy for an attacker to make an educated guess.  The photo below depicts a Kwikset key alongside the keys for three aftermarket locks.  Each of these locks utilize Kwikset specifications and the bows of each are a similar shape.  An attacker seeing a key bow of this shape could be reasonably certain of the keyway and the necessary blank (KW1).

Protect Your Keys
These keys are all instantly recognizable by their bows as using the Kwikset key profile and keying specifications, even though only one is a true Kwikset-brand key.

Once the key profile has been ascertained, an attacker must determine the number of cuts.  The attacker can make an intelligent guess as the vast majority of locks (at least in the US) adhere to the following protocol: residential locks usually have five pins while commercial locks are generally more likely to have six.  The attacker doesn’t have to leave this to guesswork, however.  The cuts on keys are what we generally misunderstand because we usually have no idea what we are looking at.  The important information in a key is the flat cut beds (the “valleys”) on the key.  Each valley is where a pin will sit when the key is fully inserted into the lock.  Simply counting the cut beds in the key will yield the number of cuts.  In some cases referencing manufacturer’s specifications can also be helpful; some manufacturers may offer certain locks in only five- or six-pin configurations.  Referencing manufacturer’s specifications can also help us with the last step, determining the depth of each cut.

The key profile and number of cuts are not considered the “secret” information in the key.  The unique combination of cut depths is, however, and this information is what makes your key different from those of your neighbors’.  This is the information that gives your key its unique code and as stated early in this article, allows it to open your lock while preventing it from opening others.  The cut depths are described in what is called a key code.  In Kwikset locks, for instance, a “1” cut will be the shallowest possible cut and a “6” will be the deepest possible cut according to manufacturer cut specifications.  There are several ways that an attacker may acquire the key code; obtaining a direct code, “sight-reading”, or measuring the key.  Once the key code has been obtained, this information can be input into a key machine to produce a working key.

Obtaining a direct code is by far the easiest method of obtaining a key code.  On OEM (factory) keys, this code is frequently stamped on the bow of the key.  The direct code consists of a five- or six-digit number, each correlating directly to a cut position and the depth of cut in that position.  The key in the photo below gives up all its secrets at a glance.  The shape of the bow is indicative that the key uses a KW1 key profile.  Secondly, there is a direct code stamped on the bow, the numbers “36645”.  This gives us the number of cuts (5) and the depth of each cut—everything we need to cut an operating key for the lock.

Protect Your Keys
A direct code on a key. The numbers on the bow correlate directly to the depth of the cuts on the blade.

If an attacker is sufficiently familiar with the system, he may not even need to see a direct code.  He can compare the cuts and make a reasonable determination of the depth of each, a technique called “sight reading”.  It is this technique that is perhaps the most dangerous because all it requires is a quick look at your keys (or worse yet, a photo).  Finally, if an attacker has physical access to your keys he can measure the depth of each cut with any number of tools (including a caliper, a key-measuring gauge, or specially-cut “depth and space” keys).

 

The Patch

There are some simple measures you can take to prevent key-duplication attacks.

  • Keep your keys out of sight. Keep them in a pocket, a purse, or use a pouch that keeps them covered, and never, ever post pictures of you keys online!!!  Likewise, don’t leave your keys unattended; all too often I see people leave their keys lying on their desks, etc.
  • When giving keys to a valet, mechanic, or anyone else who requires your car key, only give them the car key. There is no need to give out your house key, mailbox key, and office key to someone who only needs access to the car.  Additionally, some cars offer mechanical keys that are designated as valet keys which are specially cut to operate the door and ignition, but not storage compartments such as the glove box and trunk.  If your car has one, use it.
  • When giving keys to service personnel who require repeated access to your home such as dog-walkers, babysitters, cleaners, etc., inquire about their company’s policy regarding keys. Look for a service provider that has a policy offering rekeying of your locks if they lose your key.
  • Never leave a key hidden outside your home. If someone finds the key he or she may simply steal it.  Theft is the best case scenario because you know it is gone the first time you look for it (though this may be weeks or months later) and can change your locks.  The worst-case scenario is the attacker duplicating your key and replacing it; now, not only does the attacker have a key, but you have no idea that he does.
  • Have your keys cut on “neuter-bow” blanks. These are blanks that have a non-descript bow that does not bear the key profile code, does not have a distinctive shape that could reveal information, and is certainly not stamped with a direct code.  Further, most neuter-bow keys also bear the warning, “Do Not Duplicate” which may provide a very small measure of protection against unauthorized duplication (don’t let this give you a false sense of security about passing out your keys; many locksmiths and retail locations will still provide duplicates of so-called DND keys).
Protect Your Keys
Two keys, one cut on a standard Schlage-pattern bow, and one cut on a neuter bow.
  • Purchase and install UL-listed high security locks. Most high-security keys have unique, novel mechanisms that are very difficult to copy.  They are also usually patented and the key blanks are only available to authorized dealers.  Further, to have a duplicate made, a special key duplication card is often required along with a photo ID.  Finally, some high security mechanisms have a moveable element within the key.  If this element (specifics vary) cannot or does not move it simply will not operate the lock.  Because this type of key is so complex there is very little chance of an attacker manufacturing an improvised blank upon which he can copy your key.

Real World Example

A recent news item highlights this danger.  The Washington Post published a story about the TSA, and in it included a photograph of a set of TSA luggage keys.  These keys are a declared backdoor in TSA-approved locks, allowing officers to inspect bags but, theoretically, keeping the bag secured from everyone else.  The posting of the photo became a story itself because of the easy ability to reproduce keys from a photograph, as we will discuss below.  The photograph of the keys not longer appears on the Washington Post, but very good photos are available here, here, and here.

The next post in the Secure Your Physical Perimeter series will cover some steps you can take to increase the physical security of your locks.

The Privacy and Security Benefits of a P.O. Box or CMRA

As a privacy advocate I am constantly surprised at the number of people who freely give out their home address without a second thought.  It shocks me endlessly that people will give over their actual, physical home address in exchange for slight discounts on groceries, when creating accounts for online services of all types, to have a miniscule chance of winning a new car, etc.  I would never dream of giving out my true home address for any of these reasons, and I always take pains to avoid it for reasons that are much more serious than these.

IMG_2104

Regardless of this and the fact that much of we all still need to receive mail.  Receiving this mail at home opens you up to a number of vulnerabilities including:

Mail Theft:  Mail theft still happens and it recently happened to one of my clients.  Some of her checks were stolen and forged for cash.  To conceal the crime the thief (who knew where she lived because her address was on her checks) stole her bank statements from her mailbox.  She did not know she had been the victim of a crime for several months.  I am continually surprised at the vast numbers of people who are content to let bank statements, pre-approved credit card offers, utility bills, and other very sensitive items be left in an unsecured mailbox for hours or days at a time.  The theft of such personal information could lead to identity theft, credit fraud, and other crimes.

Much of this threat can be alleviated by going paperless where possible.  Just ensure that you are securing your online accounts with unpredictable usernames, good, strong passwords, and two-factor authentication.

Social Engineering:  A quick glance at mere junk mail from your mailbox can reveal your name and the names of your family members and roommates.  This information can be used to launch a social engineering attack against you.  How would you react if someone appeared at your door and seemed to know the names of all the members of the household?  An attacker could use this information to convince you (or your children) that he or she is a trusted figure.  This information could be used in a variety of imaginative ways to manipulate you or your family.

Data Marketing:  Though the threats of mail theft and social engineering are relatively rare ones, the possibility of your name being associated to your home address through the mail you receive is all but guaranteed.  When you order a package from an online retailer your name and address is added to their database and will eventually be sold to data marketers.  Then Fedex, UPS, and yes, even the US Postal Service will collect this same name and address data and sell it to data marketers yet again.  The end result of this, in addition to tons of junk mail, is that your home address and name are in numerous databases, many of which are available on open-source internet sites.

THE BENEFITS

Using a post office box or commercial mail receiving agency (CMRA)(such as Fedex or UPS stores) you can be reasonably assured that your mail is secure.  It is stored behind lock and key until you come get it, and many such facilities have security cameras. This does not mean that a very determined adversary could not access it, but it is still much safer than it is in an open mailbox on your street.

There are some additional benefits to using a CMRA that are not offered by the U.S. Postal Service, and CMRAs are subject to the same strict security standards as the U.S. Postal Service.  For example, they cannot give your mail to anyone who has not been added to the mailbox and who does not present a photo ID.

Package Delivery:  If you are expecting a package it is much a CMRA it can be received and held by a CMRA.  In contrast Fedex and UPS will not deliver to Post Office boxes.  If a signature is required for the package a representative from the store will sign for it, as well, preventing you from missing an important delivery, and preventing packages from sitting unattended on you front porch.

Street Address:  Rather than having to give out a P.O. Box, with a CMRA you will be given a street address and box number.  Though you cannot use a CMRA as your home address for official records like drivers’ licenses (because they are flagged as commercial facilities), you can give this address out to many parties without it being obvious it is a mail receiving agency.  You can further obscure the nature of your address by adding “Apt” or “Suite” in front of the box number; you mail will still find you, but the address will appear to be a residential or business address.

Using a P.O. Box or a CMRA will make you neither invisible nor anonymous.  But if you have taken steps to obscure you home address to prevent identity theft, stalking, or other threats against you, using one will help prevent your name from being associated with your physical location.  You can make this pay off even more by getting a mailbox in another city or town.  For example, when I had a “normal” job and commuted, my CMRA mailbox was in the town in which I worked, which was roughly 30 miles from my home.  I created quite a trail of information to that mailbox, but it was far enough away from my home that I didn’t lose any sleep over it.