Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

1/11/2021
02:40 PM
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
0%
100%

US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security

How two traditionally disparate security disciplines can be united.

One of the harrowing images to come out of Wednesday's attack on the US Capitol was a photo posted by a rioter of an open laptop on a desk in US House Speaker Nancy Pelosi's office. The screen was visible and apparently unlocked, with a warning in a black box that read, "Capitol: Internet Security Threat: Police Activity."

While it remains unclear whether the laptop allegedly stolen from Pelosi's office during the attack on the Capitol is the same one that was photographed in an unlocked state, it underscores how physical security and IT security can go hand in hand.

Pelosi's deputy chief of staff said on Twitter that the stolen laptop had limited access to sensitive documents and was used just for presentations. Even so, security experts expressed concern at the security implications of stolen Congressional computers and devices.  

Related Content:

Pen Testers Who Got Arrested Doing Their Jobs Tell All

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

Along with laptops and physical mail that were stolen, the rioters had the opportunity to infiltrate congressional computer systems and networks. Without proper logging of network and system access, a tech-savvy rioter could have done significant harm to congressional computers and systems, points out Dan Tentler, executive founder of security testing company Phobos Group. 

"Just because an attacker accidentally found themselves in the office of the speaker of the house doesn't mean that they didn't have the means to hack Congress," he says.

Traditionally, disparate physical security and IT security operations are integrating awkwardly. As technology rapidly changes and organizations increasingly emphasize IT security, they run the risk of ignoring physical security concerns — and how they can impact on computer devices, systems, and networks. Equally prioritizing physical and IT security can dramatically improve the overall security posture of an organization, say experts, but too few organizations address both in an integrated manner. 

What happened on Capitol Hill should be a lesson not only to government officials but also to private businesses, Tentler says.

"Not a lot of companies sit down and think about who doesn't like them or who wants to steal their intellectual property," he says. "Most companies see security as extra work and a cost center, so they focus on compliance. What they need to do is move away from compliance and focus on real, effective security." 

The Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) is also worried about the intersection of physical and IT security. The day before the rioters overran the Capitol, CISA had published a guide on cyber-physical risks and how organizations can begin to modernize their approach to them. 

"A culture of inclusivity is vital to successfully converging security functions and fostering communication, coordination, and collaboration. Organizations of all sizes can pursue convergence by developing an approach that is tailored to the organization's unique structure, priorities, and capability level," the guide states.

Sometimes, the risks are readily apparent, such as when weak physical security leads to network access. Christopher Hadnagy, CEO of Social-Engineer LLC and author of Human Hacking, says one of his employees on a penetration-testing job was able to gain access to a client's network operations center by slipping a wedge under the door to the NOC room. That breach could have been stopped by a simple alarm on the door that would go off when the door was open for more than a few seconds, he says.

Another company had replaced its single-pass shredding machines with ones that shredded paper in multiple directions, but it didn't check to make sure all of its older machines were replaced. So Hadnagy's team was able to find one of the older machines and retrieve sensitive invoices, banking statements, purchase orders, and checks by piecing together the shredded paper.

Quick fixes for physical and IT security gaps are rare, especially when security experts hand them "a laundry list" of changes.

"We all want that," Hadnagy says. "But what's needed is real training. You need drills, real-world exercise. The drill gives you muscle memory."

Fire drills, he says, where everybody gets up and leaves their desk to file out of the building could also incorporate security components, such as making sure everybody has locked their computers — or requiring system administrators to do so for them.

Some of the most important physical security considerations that can impact IT security are the simplest to make, says Gary DeMercurio, director of red team, social engineering, and physical penetration testing at cybersecurity risk-management company Coalfire. The cost of improving physical security, especially with the goal of improving IT security, can be relatively low compared with the vast sums spent on IT security, he says.

He and other experts interviewed for this story cited several realistic security improvements that organizations should invest in to make them more secure:

  • Employees should be prevented from posting sticky notes with passwords to their monitors; instead, they should be provided with easy-to-use password managers. 

  • Password managers serve the dual purpose of eliminating sticky notes and encouraging the use of random, generated passwords, which are more secure than human-generated ones.

  • Forcing two-factor authentication might slow some employees down, but it ultimately keeps online accounts and computing devices more secure.

  • Forcing phones, tablets, and monitors to lock after inactivity can reduce unauthorized access.

  • Similarly, full-disk encryption on all devices reduces unauthorized access in the event a device is lost or stolen.

  • Keys to locked filing cabinets with sensitive documents need to be kept separate from the cabinet and out of immediate view. 

  • Employee badges that can unlock doors should be protected against walk-by cloning

  • Unintentional gaps between doors and frames, often created by buildings settling, and which can aid a hacker in unauthorized access, can be covered with strips of metal.

  • Prepare for edge case scenarios such as what happens when the power goes out (or your building is infiltrated by a mob of insurrectionists.)

Physical security "can often trump million-dollar investments in cybersecurity," DeMercurio says. 

Implementing these changes, in part, requires better communication between physical and IT security teams, says Chris Nickerson, CEO of Lares and a red team expert. Too many organizations lack insight as to how their physical systems are used and how they integrate with their IT systems, he says.

"There's really terrible data on what that intersection point is. We don't have good coupled integration between physical and IT security," Nickerson says. "These [physical security] things run on computers — why are they not treated like data points? There's no case for disparate systems when they're domains that are connected. We're all here to protect the fort."

Seth is editor-in-chief and founder of The Parallax, an online cybersecurity and privacy news magazine. He has worked in online journalism since 1999, including eight years at CNET News, where he led coverage of security, privacy, and Google. Based in San Francisco, he also ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
1/14/2021 | 12:13:16 PM
I am not sure what you saw but I don't think it was not a lack of capability.
From what I saw,
  • The National Guard was told to stand down from the request made by the major of DC
  • They knew about the march to the capitol in November
  • After 5 pm, that is when most of the protection arrived from different parts of the country
  • Most of the individuals that breached the capitol were white
  • The security guards and capitol police helped the older individuals down the stairs (saws on CNN)

 

So let's be honest here, that building has state of the art video surveillance/cameras. They have a subway that is at a lower floor that allows congressman to travel to remote sites where they can get into their cars. 

So they knew what was going on but were told to stand down and the president (Chief Officer of the US) stated that they should march to the capitol and express their discontent with the voting process. No matter how much technology you have, it is dependent upon careful use also, security professionals had their hands in their pockets, slowly moving the crowd away from the capital.

Trump Says 'We Will Never Concede' as Mob Storms Capitol Building - The New  York Times

If this group were of color, it would have been a blood bath, so I have to respectfully disagree with your sentiments, they have the technology, they were told to stand down.

 

T
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
CVE-2021-1235
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
CVE-2021-1241
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1247
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.