In a few short hours, the United States will inaugurate a new president, two weeks after insurrectionists broke into the Capitol building, stole laptops and perused computer and physical files. As the cyber community observes the unprecedented measures taken to secure the city, lessons in the convergence of physical and digital security emerge.
Washington, D.C. is on high alert, extending the special designation for security that always applies to inaugurations to Jan. 21, and calling in 25,000 National Guard members to assist in securing the downtown. But with the failures in computer security on display during the Capitol breach still raw, protection of digital assets is paramount. And that, cyber experts tell SC Media, requires a convergence of physical and computer security measures.
Indeed, just as the situation at the Capitol presented an opportunity for public and private sector entities to consider cybersecurity implications of a physical breach, the inauguration offers an opportunity for those same entities to consider how they might prepare for events of heightened risk during tumultuous times – whether it be a visit from a disgruntled ex-employee or protests outside corporate offices.
"In circumstances where the physical safety of employees is more important than cybersecurity, it is vital to have automated features," so organizations are not caught flat-footed, said Dirk Schrader, global vice president at New Net Technologies.
With lessons learned, better safeguards?
During the Capitol breach, one protestor photographed House Speaker Nancy Pelosi's unlocked PC. Another stole a laptop from her office. The fact that such assets were left out and available demonstrates a failure in policy amid predictable chaos.
While clean desk and computer locking policies should always be in effect, experts say the hours before a known premises threat should boost them to 11. Federal employees, in that sense, should be functioning under strict protocol in the hours before and days after the inauguration.
"Anyone who has a laptop should bring those home," said John Hellickson, CxO advisor of cyber strategy at Coalfire. "And any portable equipment should be removed from the office."
Employees should be reminded ahead of any high-risk event of clean desk and locking policies that are already in place, he added, and shredding bins should be cleared.
"You might want to prevent people from showing up at the office at all" if a known event or situation presents risk factors, said Dan Wood, associate vice president at Bishop Fox. That would prevent systems from being accessible, eliminate the opportunity for stray laptops and keep employees out of harms way. And if a company has a system where a watch commander would take charge of an evacuation, he added, remind that individual of security obligations, like reminding people to lock their computers.
Similarly, processes already in place to address and escalate security incidents quickly should be top of mind, said Hellickson. Blind spots and lessons learned from red team reports and audits should receive additional attention, and incident response plans should be activated. The cyber insurance policy should be reviewed. And a war room with the physical security leadership should be stood up.
"If I am an average CISO, I've already had at least one tabletop exercise about physical access," said Hellickson.
Prepare for the worst
For organizations with continuity planning that will allow, decide in advance whether or not the option should be available to pull the power on servers if an unauthorized person is known to be on-site, said Wood. This is not always possible. A medical facility, for example, might not be able to keep patients alive without electricity. But even the ability for a limited power down should be considered.
It is good sense to contact law enforcement, Wood and Hellickson agreed, and to make sure all of the evidence gathering items, like cameras, are fully functional.
If a specific person is deemed to be a threat, distribute a photo to the security operations center and all security personnel, added Wood, who also suggested rescheduling all deliveries to another day. ("You don't want loading bay doors open," he said.) Institute a visible badge policy for the day if one isn't already in place, and don't rely too heavily on access control systems.
And certainly, security teams should do a comprehensive inventory.
"A clear list of items and owners" will help in incident response, should a breach occur, said Hellickson. Come up with a similar list of all the personal information being stored onsite that may require breach notification, he added. Also make sure the SOC know to scrutinize and correlate events during the potential time of attack.
As both physical and information security teams learned from the insurrection at the Capitol building, anticipation of high-risk events should spur proactive measures that assume the worst, said Tom Pendergast, chief learning officer at cybersecurity training company MediaPro.
"Any damage done could be — like the recent Solar Winds breach — a long-term problem.”