Security Lessons Learned from the U.S. Capitol Attack
In the months following the riot at the U.S. Capitol, we’ve learned about a litany of security failures that companies and supply management organizations should heed.
While most organizations would never consider themselves at risk of a large, penetrating attack, the events of January 6 — when several laptops were removed from Congressional offices, and attackers had access to unlocked computers — show that common vulnerabilities and bad practices exist even in workplaces with the highest levels of security.
Among the lessons that can help prevent future breaches:
1) Know your vulnerabilities and understand your risk. When considering a cybersecurity plan, consider the risk to your organization. As one of the most important buildings in our government, the Capitol carries risk at the highest level, and is of great interest to actors from international governments, both allies and adversaries.
2) Enforce policies. Understanding your risk is the first step to proper protection, and writing policy is typically next. Writing policy is fast, free and easy. Policy, however, does no good if it can be easily ignored, and employees “breaking the rules” often do so out of convenience. Without training, they might not be aware of policies, especially those that office culture has “trained” employees to ignore. Without automated or manual checks on employee compliance with policy, changes to cybersecurity policy can mean little more than the best intentions of a quickly forgotten New Year’s resolution.
3) Clean screen and clean desk. A photo disseminated after the attack was of a computer on an office desk, still logged in, with email open. Access to any computer that is left on can be a vector for future damage. Malware can be installed, and emails copied and analyzed for sensitive information and for future phishing and social-engineering efforts. Files from the computer can be copied.
A common policy — the “clean screen” policy — demands that an employee’s computer be locked whenever the employee is not present and actively using the computer. Desktop and laptop computers, whether employees are working from home or in the office, should be at a locked-screen status whenever unattended. While this can be set manually when the employee leaves his or her desk, it’s imperative that the screen automatically locks after a short amount of unattended time. It is not uncommon for employees to leave their computers open for a short run to the printer or coffee maker, but these short trips often turn into longer ones.
In case of an emergency situation, if an automatic-lock measure is in place, it won’t matter if employees had time or remembered to lock their stations: It will have been done automatically. Of course, such a policy does little good if unheeded, so random testing or another form of enforcement is necessary.
A notch up in security would be to institute a “clean desk” policy as well, so that no information is left on a desk overnight, or even for short periods. Often, desks and computers are covered in written notes and other information that could be used for social engineering or to otherwise aid cyberattack.
4) Inventory hardware and files. About two hours after the attack, it was announced that the Capitol building was “clear.” Regarding cybersecurity, there was no such official call. Several items, including a laptop from House Speaker Nancy Pelosi’s office, were stolen during the attack, emphasizing the importance of a running inventory of equipment. Contents should continually be tracked and deleted when appropriate.
5) Plan, then act. Have a reasonable remediation plan in place and follow it. Additionally, have a business-continuity plan.
While a cyberattack associated with massive penetration may not be detected for many months, if ever, prevention efforts are some of the best insurance.