printer friendly version

Security gap scenario

Mr CFO is travelling abroad, therefore has not checked into his office via his access control card at the main turnstile in the New York City office. He has, however, checked into his office in Paris, France and will be working there for the next 10 days. The physical access control system in New York is a different system, completely independent from the one securing the office in France. Therefore, the guards monitoring the system in New York City are not even aware that Mr CFO is not in the building.

In the meantime, a trusted employee has been looking over Mr CFO's shoulder and has acquired his login credentials, which are simply username and password. Knowing he is out of the country for 10 days, and on a very different time schedule, she logs onto the network, during normal working hours, and accesses sensitive files, which she will later share with competitors.

Will an alarm be annunciated anywhere? No. Why?

There is no apparent violation in either the physical access system, nor the network access system, which are operating independently.

* The employee committing the crime is authorised to enter the building during US, EST working hours, so nothing will be annunciated in the physical access system, or even flagged as abnormal.

* The network security system sees Mr CFO logging on and accessing files that he is authorised to view during time periods that are otherwise normal for him. Therefore, nothing will be annunciated or flagged as a network security breach. Effective security management combining both physical and IT controls could result in organisationally and operationally coordinated security.

* If the physical access systems were compatible, the guards monitoring the facilities may have at least known that Mr CFO was entering the facility in France, not locally in New York.

* If the physical access system was communicating activity to the network access system, Mr CFO's credentials may authorise him local access, only where he appears to be physically located.

* If the physical access system was communicating to the network access system, it would annunciate an alarm if Mr CFO logged onto the network remotely or in another location than he appears to physically be located based on the last doors he physically accessed.

* If the physical security department had procedures in place to communicate abnormal events such as this, they would notify the network security department of a possible security breech.

* If the credentials required for Mr CFO to enter the facility in France were also required for him to log onto the corporate network, another person would not be able to utilise his credentials.

By Laurie Aaron, Tyco Safety Products, courtesy of Faulkner Information Services.

Share this article:

Further reading: