Chapter 10

Interior and Exterior Security Concerns

Goal: To offer students an overview of security concerns that could be either interior or exterior concerns, depending upon the type of facility, access control, and identify equipment routinely used.

Objectives: 

• Discuss the significance of doors, windows, locks and keys in maintaining adequate security.
• Discuss other operating mechanisms for access control.
• Identify and explain the various types of locking devices and surveillance equipment.

Lecture:

We are reminded that no efforts provide 100% security. For example, you install burglary-resistant glass. Despite what the sales brochure says,  it's not burglar proof; it can be damaged and with enough persistence, it or the wall it is installed in can be penetrated.  However,  it will discourage intrusion and, perhaps,  virtually eliminate "smash and grab" efforts. Since most attacks against locks are direct, forcible assaults, your cost will be money well spent. Doors are only as secure as their door frame. Key control is a monumental headache in security. Try to maintain control. One way to reduce the problem is through use of other operating mechanisms such as code and card-operated locks.

Let's dig into the subject a bit more. Let's start with some general stuff:

If a building is on the perimeter of the facility and there is a barrier, say a fence (in other words the fence and the building join as part of the perimeter barrier), the fence should come within at least two inches of the building.  Further, consider adding some height to the fence to make it harder to use the building as an aid to someone trying to scale the fence.

Windows and other openings in walls that are on the perimeter (or in critical buildings) that are greater than 96 square inches need to have grills on them.  (I am frankly not sure who came up with that 96 square inches but that's the rule of thumb.)

Windows in outside walls and in outside doors should have burglary-resistant glass.  There are products made with polycarbonates, with Mylar coating, Plexiglas, and some them have very strong fine wires sandwiched between sheets of glass.  Some of these are subject to yellowing and scratching, so shop wisely.  Work with your Facilities people.

Doors are often the weak point in the security system.  Doors should be of solid construction, perhaps metal, with heavy duty hardware.  They should have heavy duty mounting hardware (hinges, frame).  If the hinges are outside, the pins should be spot welded so an intruder can't just knock them out and open the door that way.   Doors can sometimes be defeated by spreading the door frame with a car jack or spreader bar made especially for burglary use.  Sometimes the lock bolt that secures two doors in the middle can be sawed through.  And sometimes the lock can be picked.  More on this later.  Doors also need emergency hardware on the inside.  Employees and customers need to be able to get out fast in an emergency. Again, work with Facilities, Safety, and the fire department to make sure you meet the code in your area.  (Remember, Security does not run the whole shebang!  Security has to coordinate with others in the business.)

What about locks?  Most locks are key operated.  All key operated locks can be picked!  Some just take longer than others.  Back in the 70's, before Watergate, I learned how to pick locks as part of my job.  I never got to be really good because I did not have the patience, but I knew some real masters at it.  What I did learn, though, is that there are locks that give pretty good protection from picking because they cause delay (one of the elements in a security program).  I also learned that probably most burglars don't pick locks.  They find another weakness, such as an unlocked door.  Here's some info on locks:

Warded locks are the simplest of locks.  They have no place in a security system.  Wards are obstructions inside the body of the lock.  The proper key as cuts in it that correspond to the wards.  This allows the key to turn and engage the bolt to lock or unlock the lock.  Ever heard of a "skeleton key"?  It's called that because it has many cuts (it is the "skeleton" of a key) and that enables it to by-pass most wards.  I used to use a specially bent piece of coat hanger to defeat these; a paperclip can defeat many small warded locks.

Next in the line is what is called a wafer or disc lock.  These used to be used a lot in cars.  Usually these locks offer relatively little security, though they are usually better than warded locks.  However, I have seen some very high security locks that use this principle.

Next is the pin tumbler lock.  These run the gamut from very poor security to high security.  Master Lock Co. used to advertise a padlock (by the way, it's "padlock" not "paddle lock."  I think that's a Utah word; I hear it all the time here ) they would shoot with a .38 pistol.  Big deal!  We used to pick those in under 10 seconds.  I'm not picking on (no pun intended!) Master, but I am trying to make the point that what the lock looks like on the outside is not any indication of how good it is.  Page 174 in the text shows a Medico lock.  It's pretty sophisticated.  It uses "mushroom" or "spool" tumblers and a "side bar" device to make picking hard (but not impossible).

On the top of the lock heap is the lever lock, often used in prisons and on safe deposit boxes.  These are generally quite hard to pick.

I'd like to point out here that picking is not usually used to defeat locks.  Usually forced entry is used.  Or, as noted above, the bad guy finds a door that has been left unlocked by carelessness or by an insider accomplice.

Most companies use pin tumbler locks, either built into doors or in padlocks.  For built-in locks, insist on case hardened bolts.  For padlocks, insist on case hardened shackles.  On padlocks, make sure the hasp and the staple (this is the hardware mounted on the door and the door frame) are fastened with "one way" screws (need a special tool to remove them) or, if on a metal door and doorway, are welded so they can't be easily removed.

In most businesses, where there are many locks, removable keyways are used.  This allows the lock core (the part that contains the pin tumblers) can be removed and a new core with new key combination can be installed.  It's easier and cheaper to do this than replace an entire lock when a key is lost.  Just remember that the "control key," or "core removal" key is controlled. 

What about master keys?   Master keys allow several locks to be opened with one key, yet allow the users of those locks to open only their own respective lock or locks.  It would allow, say, a set of offices to be opened by the Security, using one key (the "master"), yet each person could open only his or her office with his or her separate key.  There are problems with master keying, though.  Each level of mastering is done by adding what are called "splits" in the lock tumbler cylinders.  This makes a mastered lock theoretically easier to pick.  Also, you must make sure master keys are secured.  If you lose one, it may require that all locks it will open will need to be re-keyed.  This is very expensive.

Who handles all this key and lock stuff?  Usually, in a large company, Security does it.  Most large lock companies will provide training and software for managing the keys and locks.  Of course, this usually costs money but it's money well spent.  In small companies, keys and locks may be maintained by the plant maintenance department or the company may hire a bonded locksmith.  The important point here is that the locks and keys must always be accounted for.  There should be a central location that tells who has what keys and to what buildings.  When people leave their keys need to be recovered as part of the out-processing procedure.  Spot inventories should be done; Security stops by an office and looks at the keys an employee may have and compares that list with the central file.  Inconsistencies must be cleared up.

What about marking the keys "do not duplicate"?  That will usually work with real locksmiths, who subscribe to a code of ethics.  It may or may not have any impact on the key duplicator at the local supermarket.  That person is not a locksmith and may not care.  In most states, duplicating a key that says "do not duplicate" is not a criminal act.  I still recommend you use the marking, though, as it may be a deterrent.

What about the bad guy making an impression of the key in, say, a bar of soap?  I supposed it could be done but I think it's more the stuff of movies.  However, locksmiths know how to duplicate a key by a method called "impressioning."  It uses a special tool that is something like a pair of pliers and usually soot from a candle.  The soot is used coat a key blank which is then inserted into the lock.  The pins make marks in the soot and that shows the locksmith where to make the "cuts."  It's a process that takes real skill and time.  It's not much of a threat, though, from a common burglar, who will more likely find an open window or just use force to enter.

Before we get off of locks, here are a few other points I'd like to make:

Doors that are opened by card readers usually use a very strong electromagnet rather than a bolt to keep them locked.  These magnets exert thousands of pounds of pressure and release only when the proper entry card is used or the panic hardware is activated.

Combination locks: these are generally "pick proof" because there is no key way.  However, they can be defeated by skilled persons who know how to manipulate them.  This takes time and real skill.  Combination locks can be found in padlocks that range from cheap and flimsy to expensive and substantial.  It's too complicated to go into in this course and by internet, but combination locks use probability rules to determine their relative security.  Let's say a combination lock has the combination 13 - 78 - 42.  And there are 100 numbers on the dial: 0 to 99.  The three numbers tell me that there are three "discs" or "wheels" inside the lock.  I can tell you that the number of possible combinations for opening that lock is determined by the number or numbers on the dial (100 in this case) raised to the power equal to the number of discs.  So, in this case, we'd have 100 to the third power or 100³ or 100 X 100 X 100 = 1,000,000.  One million possible combinations in that lock!  The "safe cracker" does not sandpaper his fingertips or listen with a stethoscope.  (In the old days that might have been possible, but not now.)  Rather, he uses a way to methodically try each possible combination.  It does take time and it does require patience and skill.  There is a method but this is not Safecracking 2110 so I'll move on.

There are now electronic combination locks. They look very much like the old combination locks but they use electronics, which are more accurate and probably more secure. The government is now requiring these locks in safes that are used for storing classified information. But here's what you need to know about combination locks:

The good ones allow you to change the combination.  Never leave it on the "factory combination" when you put it into use.  Never use birthdays or anniversaries for the number.  Burglars can find those out and they'll try them first.

Never write the combination down (except when you can secure that piece of paper in another safe whose number has not been written down).  Don't put in in the dictionary on the page where the words "combination" or "safe" are defined.  Burglars know that trick, too.

In the beginning of this lecture, I mentioned code or card-operated locks.  Code locks are really combination locks.  They have push buttons.  Some are mechanical; others are electrical.  You see these at airports and the aircraft pilots and crews use them to get to the flight line.  The best electrical ones actually scramble the order of the numbers so the number 1 , for example, is not always at the top left of the key pad.  This helps defeat a criminal who sits off the the side and watches the pattern of the keys being punched.

Card reader locks use cards that are inserted into a reader or can be read from a short distance away.  (The ones that can be read from a short distance way are called "proximity cards.")  Our text discusses some of the card reader technology on page 178. (By the way, there is an error on page 178: the authors mention "Wiegan Effect" cards.  It's actually "Wiegand Effect." Almost all of these systems keep a very accurate audit trail of whose card was used at what date and time, down to the second.  Most allow setting time delays to prevent "piggybacking."  In piggybacking, I go through with my card and then hand it back so you can use it.  In anti-piggybacking ( also called "anti-pass back")  my card won't work again for 15 minutes or so, or, even better, it won't work until I exit.

There are also biometric systems.  Since 9-11, these have been in the press.  Some read your fingerprint or handwriting or maybe your retinal pattern.  Some use weight and other measurable body features.  All these are quite sophisticated and expensive.  Some also raise privacy or other concerns.  For example, some people may object to having their eye scanned; they may fear laser damage.

There's a bit more discussion of locking devices on pages 183 and 184.  Read that.

Now we need to talk a bit about roofs and walls.  On roofs, you need to make sure that things like skylights and utility openings don't create vulnerabilities.  Consider grilles and alarm protection.  As for walls, if your business shares walls with another business, make sure those walls are as strong or stronger than your other walls.

The rest of this chapter discusses surveillance devices.  these can range from old-fashioned film cameras that snap a photo maybe every 10 or 20 minutes, to motion picture (film) cameras to state-of-the-art digital video cameras that can record and recover days of activity.  There are new cameras that operate in very, very low light (so-called starlight cameras).  Years ago in Europe, I participated in a test of cameras that detected thermal energy.  We could see where an "intruder" leaned his hand on a tree at night.  We could see the thermal outline of his hand on the tree for a minute or so after he left that area.  But it was a very complicated system to operate and it was very noisy.  (It used a compressor to keep certain elements of the system cool.)  I'm sure that today there are better systems.

There are cameras that use tiny laparoscopic lenses and fiber optics ("pin hole" cameras) to surreptitiously provide surveillance.  Of curse, if you use these in your business, make sure that your management is OK with them.  And, you usually can't use them in rest rooms, changing rooms, etc., where people expect privacy.

 What about fake cameras?  I don't recommend them, especially if all you have is fake ones.  Sooner or later you'll be found out.

There are also audio surveillance devices that record sound and there are surveillance devices that detect motion.  We'll talk about some of these in later lectures.

Surveillance devices, especially of the visual kind, require planning considerations.  For example, you need to consider lighting or lack thereof.  You can actually have too much light.  Or, you can have a great camera set up that is completely useless when the sun comes up and shines right into the lens.  You are blinded!  I was at a place once that had what looked like a really sophisticated CCTV (closed circuit TV) system.  There were banks of monitors in the Security Headquarters and it looked like every gate, door, and sensitive area was being watched constantly.  The fact was, the one officer on duty there hardly ever had time to look at the monitors.  And at night, less than half could "see" in the existing light.  In short, the system was worthless.  The lesson: you need good planning and it needs to be based on a good survey of the facility.

You can read more on this subject in Chapter 10 of the text.  You'll also read about CPTED (pronounced SEP-TED).  Read about it on page 189.

Assignment: answer question 2 on page 191.

Tired? I am, too! This was a long lecture and assignment.  Let's call it a night.