SMotW #7: Logical vs physical access discrepancies
Security Metric of the Week #7: Discrepancies between physical location and logical access location
Correlating records (log entries) between physical and logical access control systems will often reveal curious discrepancies, such as someone logging in remotely (e.g. from home, a remote office or via the Interweb) whereas their staff pass has recently been used to access the office locally. Did they shoot home from the office, without swiping their pass on exit? Have they loaned their staff pass or login credentials to someone? Has someone duplicated their staff pass or hacked their network credentials? Or are they for some reason logging in at the office through a 3G or other mobile network, instead of using the conventional LAN cable dangling out of the wall? Correlating the logs to find such discrepancies may or may not provide more specific answers to questions of this nature, depending on how much information is available and how reliable it is. However, the number of such discrepancies, perhaps divided into different types, is a metric that tells us something about the scale of this particular issue.
We gave this metric an overall PRAGMATIC score of 78% in the context of the hypothetical manufacturing company that we envisaged for the book. The highest-scoring parameter was 90% for Genuine-ness, since relatively few individuals are capable of deliberately altering the physical or logical access logs to manipulate the metric due to the relatively strong controls generally used to secure such logs. The lowest score was 60% for Cost-effectiveness, since correlating logs is painstaking, although it can be partially automated. In your specific organization, these scores may well be quite different for genuine reasons. Have a think about how you would score this metric against the PRAGMATIC criteria.
P | R | A | G | M | A | T | I | C | Score |
75 | 76 | 72 | 90 | 82 | 75 | 85 | 83 | 60 | 78% |
We categorized this as a management-level metric, of interest to middle managers rather than senior management or staff/operational people. It is clearly not a strategic security metric and so would be of little use to a director. At the same time, it would be of limited utility to those people running the physical and logical access control systems: what would they make of it? We figured a security manager might perhaps use the metric to ensure that sufficient resources and priority are applied to log reviews etc.