One of the harrowing images to come out of Wednesday’s attack on the U.S. Capitol was a photo posted by a rioter of an open laptop on a desk in the office of U.S. House of Representatives Speaker Nancy Pelosi. The screen was visible and apparently unlocked, with a warning in a black box that read, “Capitol: Internet Security Threat: Police Activity.”
While it remains unclear whether the laptop allegedly stolen from Pelosi’s office during the attack on the Capitol is the same one that was photographed in an unlocked state, it underscores how physical security and IT security can go hand in hand.
Pelosi’s deputy chief of staff said on Twitter that the stolen laptop had limited access to sensitive documents and was used just for presentations. Even so, security experts expressed concern at the security implications of stolen Congressional computers and devices.
Along with stealing equipment and physical mail, the rioters had the opportunity to infiltrate congressional computer systems and networks. In the absence of proper logging of network and system access, a tech-savvy rioter could have done significant harm to congressional computers and systems, points out Dan Tentler, executive founder of security testing company Phobos Group.
“Just because an attacker accidentally found themselves in the office of the speaker of the House doesn’t mean that they didn’t have the means to hack Congress,” he says.
READ MORE ON IT AND PHYSICAL SECURITY
How conscious companies can thread IoT’s security and privacy needles
In post-massacre Vegas, security policies clash with privacy values
Primer: The next act for security theater
How to protect your Ring from hackers (and Amazon partners)
Hacker Simple Nomad’s personal opsec tips (Q&A)
Physical security and IT security operations, traditionally separate, are awkwardly integrating. As technology rapidly changes, an increasing emphasis on IT security could put organizations at risk of ignoring how physical-security vulnerabilities can impact computer devices, systems, and networks. Equally prioritizing physical and IT security can dramatically improve the overall security posture of an organization, experts say, but too few organizations address both in an integrated manner.
What happened on Capitol Hill should be a lesson not only to government officials but also to private businesses, Tentler says.
“Not a lot of companies sit down and think about who doesn’t like them or who wants to steal their intellectual property,” he says. “Most companies see security as extra work and a cost center, so they focus on compliance. What they need to do is move away from compliance and focus on real, effective security.”
This story was originally commissioned by Dark Reading. Read the full story here.