Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

02:40 PM
Connect Directly

US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security

How two traditionally disparate security disciplines can be united.

One of the harrowing images to come out of Wednesday's attack on the US Capitol was a photo posted by a rioter of an open laptop on a desk in US House Speaker Nancy Pelosi's office. The screen was visible and apparently unlocked, with a warning in a black box that read, "Capitol: Internet Security Threat: Police Activity."

While it remains unclear whether the laptop allegedly stolen from Pelosi's office during the attack on the Capitol is the same one that was photographed in an unlocked state, it underscores how physical security and IT security can go hand in hand.

Pelosi's deputy chief of staff said on Twitter that the stolen laptop had limited access to sensitive documents and was used just for presentations. Even so, security experts expressed concern at the security implications of stolen Congressional computers and devices.  

Related Content:

Pen Testers Who Got Arrested Doing Their Jobs Tell All

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

Along with laptops and physical mail that were stolen, the rioters had the opportunity to infiltrate congressional computer systems and networks. Without proper logging of network and system access, a tech-savvy rioter could have done significant harm to congressional computers and systems, points out Dan Tentler, executive founder of security testing company Phobos Group. 

"Just because an attacker accidentally found themselves in the office of the speaker of the house doesn't mean that they didn't have the means to hack Congress," he says.

Traditionally, disparate physical security and IT security operations are integrating awkwardly. As technology rapidly changes and organizations increasingly emphasize IT security, they run the risk of ignoring physical security concerns — and how they can impact on computer devices, systems, and networks. Equally prioritizing physical and IT security can dramatically improve the overall security posture of an organization, say experts, but too few organizations address both in an integrated manner. 

What happened on Capitol Hill should be a lesson not only to government officials but also to private businesses, Tentler says.

"Not a lot of companies sit down and think about who doesn't like them or who wants to steal their intellectual property," he says. "Most companies see security as extra work and a cost center, so they focus on compliance. What they need to do is move away from compliance and focus on real, effective security." 

The Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) is also worried about the intersection of physical and IT security. The day before the rioters overran the Capitol, CISA had published a guide on cyber-physical risks and how organizations can begin to modernize their approach to them. 

"A culture of inclusivity is vital to successfully converging security functions and fostering communication, coordination, and collaboration. Organizations of all sizes can pursue convergence by developing an approach that is tailored to the organization's unique structure, priorities, and capability level," the guide states.

Sometimes, the risks are readily apparent, such as when weak physical security leads to network access. Christopher Hadnagy, CEO of Social-Engineer LLC and author of Human Hacking, says one of his employees on a penetration-testing job was able to gain access to a client's network operations center by slipping a wedge under the door to the NOC room. That breach could have been stopped by a simple alarm on the door that would go off when the door was open for more than a few seconds, he says.

Another company had replaced its single-pass shredding machines with ones that shredded paper in multiple directions, but it didn't check to make sure all of its older machines were replaced. So Hadnagy's team was able to find one of the older machines and retrieve sensitive invoices, banking statements, purchase orders, and checks by piecing together the shredded paper.

Quick fixes for physical and IT security gaps are rare, especially when security experts hand them "a laundry list" of changes.

"We all want that," Hadnagy says. "But what's needed is real training. You need drills, real-world exercise. The drill gives you muscle memory."

Fire drills, he says, where everybody gets up and leaves their desk to file out of the building could also incorporate security components, such as making sure everybody has locked their computers — or requiring system administrators to do so for them.

Some of the most important physical security considerations that can impact IT security are the simplest to make, says Gary DeMercurio, director of red team, social engineering, and physical penetration testing at cybersecurity risk-management company Coalfire. The cost of improving physical security, especially with the goal of improving IT security, can be relatively low compared with the vast sums spent on IT security, he says.

He and other experts interviewed for this story cited several realistic security improvements that organizations should invest in to make them more secure:

  • Employees should be prevented from posting sticky notes with passwords to their monitors; instead, they should be provided with easy-to-use password managers. 

  • Password managers serve the dual purpose of eliminating sticky notes and encouraging the use of random, generated passwords, which are more secure than human-generated ones.

  • Forcing two-factor authentication might slow some employees down, but it ultimately keeps online accounts and computing devices more secure.

  • Forcing phones, tablets, and monitors to lock after inactivity can reduce unauthorized access.

  • Similarly, full-disk encryption on all devices reduces unauthorized access in the event a device is lost or stolen.

  • Keys to locked filing cabinets with sensitive documents need to be kept separate from the cabinet and out of immediate view. 

  • Employee badges that can unlock doors should be protected against walk-by cloning

  • Unintentional gaps between doors and frames, often created by buildings settling, and which can aid a hacker in unauthorized access, can be covered with strips of metal.

  • Prepare for edge case scenarios such as what happens when the power goes out (or your building is infiltrated by a mob of insurrectionists.)

Physical security "can often trump million-dollar investments in cybersecurity," DeMercurio says. 

Implementing these changes, in part, requires better communication between physical and IT security teams, says Chris Nickerson, CEO of Lares and a red team expert. Too many organizations lack insight as to how their physical systems are used and how they integrate with their IT systems, he says.

"There's really terrible data on what that intersection point is. We don't have good coupled integration between physical and IT security," Nickerson says. "These [physical security] things run on computers — why are they not treated like data points? There's no case for disparate systems when they're domains that are connected. We're all here to protect the fort."

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/14/2021 | 12:13:16 PM
I am not sure what you saw but I don't think it was not a lack of capability.
From what I saw,
  • The National Guard was told to stand down from the request made by the major of DC
  • They knew about the march to the capitol in November
  • After 5 pm, that is when most of the protection arrived from different parts of the country
  • Most of the individuals that breached the capitol were white
  • The security guards and capitol police helped the older individuals down the stairs (saws on CNN)


So let's be honest here, that building has state of the art video surveillance/cameras. They have a subway that is at a lower floor that allows congressman to travel to remote sites where they can get into their cars. 

So they knew what was going on but were told to stand down and the president (Chief Officer of the US) stated that they should march to the capitol and express their discontent with the voting process. No matter how much technology you have, it is dependent upon careful use also, security professionals had their hands in their pockets, slowly moving the crowd away from the capital.

Trump Says 'We Will Never Concede' as Mob Storms Capitol Building - The New  York Times

If this group were of color, it would have been a blood bath, so I have to respectfully disagree with your sentiments, they have the technology, they were told to stand down.


Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
The NPort IA5000A Series devices use Telnet as one of the network device management services. Telnet does not support the encryption of client-server communications, making it vulnerable to Man-in-the-Middle attacks.
PUBLISHED: 2021-05-14
Cleartext transmission of sensitive information via Moxa Service in NPort IA5000A series serial devices. Successfully exploiting the vulnerability could enable attackers to read authentication data, device configuration, and other sensitive data transmitted over Moxa Service.
PUBLISHED: 2021-05-14
In radare2 through 5.3.0 there is a double free vulnerability in the pyc parse via a crafted file which can lead to DoS.
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Tree Sitemap WordPress plugin before 2.9, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers insta...
PUBLISHED: 2021-05-14
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Visitor Traffic Real Time Statistics WordPress plugin before 2.12, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, wh...