Security Review: Access to our IMA Building

Summary:For this security review, I have chosen to evaluate our very own IMA (Intramural Activities) Building which I am a somewhat frequent visitor to.  The security concepts for the IMA are rather simple: let only those who are authorized into the building since it is a members-only facility.  Enrolled students, current or retired faculty, and the spouses of the members are some of the people eligible for a membership with a quarterly fee.  An employee sits in the lobby and swipes cards as members walk in via a forced path.  The exits are in the same area; a series of mini-doors (maybe 3 feet in height) that open when pushed only from the inside.  Additionally, there are usually about 2-3 employees, sometimes including the IMA manager, that sit facing the lobby (the entrance/exit area).  There are additional doors at the building but are designed to be exit-only in case of an emergency (it claims that opening them would sound the fire-alarm). Assets/Security Goals- The obvious asset is the access to the facility.  They want to only let those with a membership into the building.- A more subtle asset is the image of the IMA in the eyes of the members.  Members would be irritated if they knew that anybody could easily sneak in and therefore impose a hidden cost to the members (over-crowdedness, facility maintenance fees that depend on number of people that use the facilities, etc.). Potential Adversaries/Threats- Non-members that want to sneak into the building.- The disgruntled employee.  If they’re working as the card-swiper they could simply assist anyone by pretending to swipe the card and allow them to walk in.  Weaknesses- The fact that the card-swipe employees don’t check the picture ID’s too closely.  Any group of 3 or more people can have 2 people go in, have one of them bring back the other’s id card, give it to the person waiting out front (the non-member) and walk back in using the 2 id cards.  I think this is a good example of the security being as good as only the weakest link, as I believe the facility is otherwise well-designed for preventing unauthorized access.- The sheer number of people that are always coming and going which limits the effort/time/money the IMA is willing to spend on authorizing members.  Potential Defenses- To prevent an attack of the sort of attack I described above, the card-swipe machine could be implemented in such a way that keeps track of when the last access time was for the given card.  They could then raise a red flag and check the id card picture more carefully if the card is being used again within a very short time.- The IMA can adopt a random check mechanism that would sample random people as they walk in and have them present another ID or the like. Risk Analysis:To begin, the value of the assets that the IMA is protecting is not the smallest in the world, but it is rather small.  Each unauthorized access is a small dent divided amongst all of the members of the IMA.  The probabilities of the threats and vulnerabilities are moderately small as well.  There’s a good deterrent in the way the building’s entrances/exits are designed and of how 3-4 employees face the only “real” authorized entrance into the building making it difficult for those without an id card. Conclusions:I feel that the security of the access to the IMA is rather good (for what it’s worth), though, I do feel that improvements can be made by adding the last-use time for each of the id cards as I described above.