One of the harrowing images to come out of Wednesday's attack on the US Capitol was a photo posted by a rioter of an open laptop on a desk in US House Speaker Nancy Pelosi's office. The screen was visible and apparently unlocked, with a warning in a black box that read, "Capitol: Internet Security Threat: Police Activity."
While it remains unclear whether the laptop allegedly stolen from Pelosi's office during the attack on the Capitol is the same one that was photographed in an unlocked state, it underscores how physical security and IT security can go hand in hand.
Pelosi's deputy chief of staff said on Twitter that the stolen laptop had limited access to sensitive documents and was used just for presentations. Even so, security experts expressed concern at the security implications of stolen Congressional computers and devices.
Along with laptops and physical mail that were stolen, the rioters had the opportunity to infiltrate congressional computer systems and networks. Without proper logging of network and system access, a tech-savvy rioter could have done significant harm to congressional computers and systems, points out Dan Tentler, executive founder of security testing company Phobos Group.
"Just because an attacker accidentally found themselves in the office of the speaker of the house doesn't mean that they didn't have the means to hack Congress," he says.
Traditionally, disparate physical security and IT security operations are integrating awkwardly. As technology rapidly changes and organizations increasingly emphasize IT security, they run the risk of ignoring physical security concerns — and how they can impact on computer devices, systems, and networks. Equally prioritizing physical and IT security can dramatically improve the overall security posture of an organization, say experts, but too few organizations address both in an integrated manner.
What happened on Capitol Hill should be a lesson not only to government officials but also to private businesses, Tentler says.
"Not a lot of companies sit down and think about who doesn't like them or who wants to steal their intellectual property," he says. "Most companies see security as extra work and a cost center, so they focus on compliance. What they need to do is move away from compliance and focus on real, effective security."
The Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) is also worried about the intersection of physical and IT security. The day before the rioters overran the Capitol, CISA had published a guide on cyber-physical risks and how organizations can begin to modernize their approach to them.
"A culture of inclusivity is vital to successfully converging security functions and fostering communication, coordination, and collaboration. Organizations of all sizes can pursue convergence by developing an approach that is tailored to the organization's unique structure, priorities, and capability level," the guide states.
Sometimes, the risks are readily apparent, such as when weak physical security leads to network access. Christopher Hadnagy, CEO of Social-Engineer LLC and author of Human Hacking, says one of his employees on a penetration-testing job was able to gain access to a client's network operations center by slipping a wedge under the door to the NOC room. That breach could have been stopped by a simple alarm on the door that would go off when the door was open for more than a few seconds, he says.
Another company had replaced its single-pass shredding machines with ones that shredded paper in multiple directions, but it didn't check to make sure all of its older machines were replaced. So Hadnagy's team was able to find one of the older machines and retrieve sensitive invoices, banking statements, purchase orders, and checks by piecing together the shredded paper.
Quick fixes for physical and IT security gaps are rare, especially when security experts hand them "a laundry list" of changes.
"We all want that," Hadnagy says. "But what's needed is real training. You need drills, real-world exercise. The drill gives you muscle memory."
Fire drills, he says, where everybody gets up and leaves their desk to file out of the building could also incorporate security components, such as making sure everybody has locked their computers — or requiring system administrators to do so for them.
Some of the most important physical security considerations that can impact IT security are the simplest to make, says Gary DeMercurio, director of red team, social engineering, and physical penetration testing at cybersecurity risk-management company Coalfire. The cost of improving physical security, especially with the goal of improving IT security, can be relatively low compared with the vast sums spent on IT security, he says.
He and other experts interviewed for this story cited several realistic security improvements that organizations should invest in to make them more secure:
Employees should be prevented from posting sticky notes with passwords to their monitors; instead, they should be provided with easy-to-use password managers.
Password managers serve the dual purpose of eliminating sticky notes and encouraging the use of random, generated passwords, which are more secure than human-generated ones.
Forcing two-factor authentication might slow some employees down, but it ultimately keeps online accounts and computing devices more secure.
Forcing phones, tablets, and monitors to lock after inactivity can reduce unauthorized access.
Similarly, full-disk encryption on all devices reduces unauthorized access in the event a device is lost or stolen.
Keys to locked filing cabinets with sensitive documents need to be kept separate from the cabinet and out of immediate view.
Employee badges that can unlock doors should be protected against walk-by cloning.
Unintentional gaps between doors and frames, often created by buildings settling, and which can aid a hacker in unauthorized access, can be covered with strips of metal.
Prepare for edge case scenarios such as what happens when the power goes out (or your building is infiltrated by a mob of insurrectionists.)
Physical security "can often trump million-dollar investments in cybersecurity," DeMercurio says.
Implementing these changes, in part, requires better communication between physical and IT security teams, says Chris Nickerson, CEO of Lares and a red team expert. Too many organizations lack insight as to how their physical systems are used and how they integrate with their IT systems, he says.
"There's really terrible data on what that intersection point is. We don't have good coupled integration between physical and IT security," Nickerson says. "These [physical security] things run on computers — why are they not treated like data points? There's no case for disparate systems when they're domains that are connected. We're all here to protect the fort."