Risk Assessments Dig Deeper than the Obvious
By Ernie Hayden CISSP GICSP(Gold) PSP
In September 2020, my book, Critical Infrastructure Risk Assessment, was published. In the book I discuss ways and means to analyze the threats and vulnerabilities posed on Critical Infrastructure. Last week, as I watched the events at the United States Capitol, I not only was shocked but also was worried that the less obvious threats to the building and facilities would be glossed over.
For instance, among the thousands of terrorists entering the Capitol building, how many of them were North Korean, Russian, Chinese, Iranian agents? If those entering the Capitol, what type of sinister and more sophisticated actions were they considering?
Imagine the agent is thinking about such things as:
- Can I steal any sensitive or confidential information?
- Can I inject malware into the U.S Capitol computer network with a USB drive?
- What if I take photos of the more sensitive rooms in the building?
- What about taking measurements?
- What about closely examining the physical security such as card readers, keypads, camera positions, and types of locks?
I think you understand my point.
The evidence remaining from such actions basically does not exist; however, the threat level to the US Capitol building and its esteemed residents is substantially increased.
The risk assessor needs to think way outside of the box and try to dig deeper than the obvious. They need to always think as an attacker. They need to think about ways to take advantage of a situation not normally offered to the aggressor.
Please consider these perspectives and I am thankful the Capitol and its occupants were not damaged more than what we observed…. but was it?