Access control systems, like any other technology, should work as designed. Unfortunately, like other security systems, access control systems are constantly under surveillance and attack. Access control systems are tempting targets because they provide the “keys to the kingdom,” literally and figuratively. An attacker who gains control of the access control system can leverage that access to gain entry to any other system in the enterprise. Frequent testing of access control systems ensures that weaknesses are found and can be dealt with before they are exploited.

There is no one correct way to test an access control system. Instead, a solid test should incorporate testing methodologies at different stages of development, for example:

• Software design
• Hardware development
• Penetration testing

Each of these areas has a place in the design of a good access control system, and should be used in the testing of access control systems. Most access control systems have some software component, which must be tested as rigorously as any other critical piece of software. You will read more about software testing in the next section.

In most cases, you will want to perform your own testing of the implementation of an access control system to ensure that you’ve deployed it properly, but you also want assurance that the access control system itself functions as designed. It would be cost-prohibitive to rigorously test the functioning of an access control system on your own, so you should rely on third-party assurance testing. The Common Criteria is a set of standards for providing this type of assurance.

Every access control system has a hardware component. Username and password combinations for a secured website depend on access control servers and the underlying networks. Biometric access controls require scanners or other input devices. A simple locked door is a strictly hardware-based solution. Even human security guards use surveillance cameras to keep an eye on things. Because hardware is such an integral part of access controls, it makes sense to test it thoroughly.

Any good hardware test should pay attention to both normal and boundary conditions. Boundary conditions are the outermost extremes of test environments. For example, you might test a surveillance camera under normal conditions—a clear, sunny day—but you would also test it at night, during an electrical storm, and during a power outage. The first test will assure you that the equipment is not defective, whereas the boundary tests will let you know how it will perform during extreme situations. An attacker is not likely to strike on a sunny afternoon. Instead, he or she will choose circumstances that provide cover, such as darkness or stormy weather, or will attempt to create cover by cutting off power to surveillance cameras.

Penetration testing is the act of simulating an attack on an organization’s resources. Penetration testers use a variety of methods, including social engineering, software hacking, and physical intrusion. You will read more about penetration testing later in this chapter.