Connecting the information security community

Author Bio ▼

Part of the Informa Network, Dark Reading is a trusted online community for cyber security professionals, including CISOs, cyber security researchers and technology specialists. Covering the latest threats, vulnerabilities and cyber attacks, Dark Reading supports community members in keeping up with the latest in the sector.
January 15, 2021

Sign up to free email newsletters

Download

DOWNLOAD: Top tips for beginning an ID badge or access card programme

Cyber-physical security

US Capitol attack a wake-up call for the integration of physical & IT security

As Capitol rioters stormed the building, photos were released around social media of rioters sitting at the desks of US elected officials. Clearly, this caused serious concerns in the fields of both physical and cyber security. Seth Rosenblatt, Editor-in-chief and founder of The Parallax, an online cyber security and privacy news magazine, discusses how two traditionally disparate security disciplines can be united.

One of the harrowing images to come out of Wednesday’s attack on the US Capitol was a photo posted by a rioter of an open laptop on a desk in US House Speaker Nancy Pelosi’s office. The screen was visible and apparently unlocked, with a warning in a black box that read, “Capitol: Internet Security Threat: Police Activity.”

While it remains unclear whether the laptop allegedly stolen from Pelosi’s office during the attack on the Capitol is the same one that was photographed in an unlocked state, it underscores how physical security and IT security can go hand in hand.

Pelosi’s Deputy Chief of Staff said on Twitter that the stolen laptop had limited access to sensitive documents and was used just for presentations. Even so, security experts expressed concern at the security implications of stolen Congressional computers and devices.

USCapitol-PhysicalCyber-20

Along with laptops and physical mail that were stolen, the rioters had the opportunity to infiltrate congressional computer systems and networks. Without proper logging of network and system access, a tech-savvy rioter could have done significant harm to congressional computers and systems, points out Dan Tentler, Executive Founder of security testing company Phobos Group.

“Just because an attacker accidentally found themselves in the office of the speaker of the house doesn’t mean that they didn’t have the means to hack Congress,” he says.

Traditionally, disparate physical security and IT security operations are integrating awkwardly. As technology rapidly changes and organisations increasingly emphasise IT security, they run the risk of ignoring physical security concerns — and how they can impact on computer devices, systems, and networks. Equally prioritizing physical and IT security can dramatically improve the overall security posture of an organisation, say experts, but too few address both in an integrated manner.

What happened on Capitol Hill should be a lesson not only to government officials but also to private businesses, Tentler says.

“Not a lot of companies sit down and think about who doesn’t like them or who wants to steal their intellectual property,” he says. “Most companies see security as extra work and a cost centre, so they focus on compliance. What they need to do is move away from compliance and focus on real, effective security.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) is also worried about the intersection of physical and IT security. The day before the rioters overran the Capitol, CISA had published a guide on cyber-physical risks and how organisations can begin to modernise their approach to them.

Sarb-CyberphysicalSecurity-20“A culture of inclusivity is vital to successfully converging security functions and fostering communication, coordination, and collaboration. Organisations of all sizes can pursue convergence by developing an approach that is tailored to their unique structure, priorities, and capability level,” the guide states.

Sometimes, the risks are readily apparent, such as when weak physical security leads to network access. Christopher Hadnagy, CEO of Social-Engineer LLC and author of Human Hacking, says one of his employees on a penetration-testing job was able to gain access to a client’s network operations centre by slipping a wedge under the door to the NOC room. That breach could have been stopped by a simple alarm on the door that would go off when the door was open for more than a few seconds, he says.

Another company had replaced its single-pass shredding machines with ones that shredded paper in multiple directions, but it didn’t check to make sure all of its older machines were replaced. So Hadnagy’s team was able to find one of the older machines and retrieve sensitive invoices, banking statements, purchase orders, and checks by piecing together the shredded paper.

Quick fixes for physical and IT security gaps are rare, especially when security experts hand them “a laundry list” of changes.

“We all want that,” Hadnagy says. “But what’s needed is real training. You need drills, real-world exercise. The drill gives you muscle memory.”


READ: Who is responsible for the cyber security of physical security systems?


Fire drills, he says, where everybody gets up and leaves their desk to file out of the building could also incorporate security components, such as making sure everybody has locked their computers — or requiring system administrators to do so for them.

Some of the most important physical security considerations that can impact IT security are the simplest to make, says Gary DeMercurio, Director of red team, social engineering, and physical penetration testing at cyber security risk management company Coalfire. The cost of improving physical security, especially with the goal of improving IT security, can be relatively low compared with the vast sums spent on IT security, he says.

He and other experts interviewed for this story cited several realistic security improvements that organisations should invest in to make them more secure:

  • Employees should be prevented from posting sticky notes with passwords to their monitors; instead, they should be provided with easy-to-use password managers.
  • Password managers serve the dual purpose of eliminating sticky notes and encouraging the use of random, generated passwords, which are more secure than human-generated ones.
  • Forcing two-factor authentication might slow some employees down, but it ultimately keeps online accounts and computing devices more secure.
  • Forcing phones, tablets, and monitors to lock after inactivity can reduce unauthorised access.
  • Similarly, full-disk encryption on all devices reduces unauthorised access in the event a device is lost or stolen.
  • Keys to locked filing cabinets with sensitive documents need to be kept separate from the cabinet and out of immediate view.
  • Employee badges that can unlock doors should be protected against walk-by cloning.
  • Unintentional gaps between doors and frames, often created by buildings settling, and which can aid a hacker in unauthorised access, can be covered with strips of metal.
  • Prepare for edge case scenarios such as what happens when the power goes out (or your building is infiltrated by a mob of insurrectionists.)

Physical security “can often trump million-dollar investments in cyber security,” DeMercurio says.

Implementing these changes, in part, requires better communication between physical and IT security teams, says Chris Nickerson, CEO of Lares and a red team expert. Too many organisations lack insight as to how their physical systems are used and how they integrate with their IT systems, he says.

“There’s really terrible data on what that intersection point is. We don’t have good coupled integration between physical and IT security,” Nickerson says. “These [physical security] things run on computers — why are they not treated like data points? There’s no case for disparate systems when they’re domains that are connected. We’re all here to protect the fort.”


darkReading-logoThis story first appeared on Dark Reading. Part of the Informa Network, Dark Reading is a trusted online community for cyber security professionals, including CISOs, cyber security researchers and technology specialists. Covering the latest threats, vulnerabilities and cyber attacks, Dark Reading supports community members in keeping up with the latest in the sector.


 

Download the Intruder Alarm Report 2020

Download this report, produced in conjunction with Texecom, to discover how increasing processing power, accelerating broadband speeds, cloud-managed solutions and the internet of things and transforming the intruder alarm market, and whether firms are adopting these innovative new technologies.

AlarmReport-Main-19

Related Topics

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments