A Hidden Insider Threat: Visual Hackers

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.darkreading.com/vulnerabilities---threats/a-hidden-insider-threat-visual-hackers-/a/d-id/1323602

When we think of hackers breaching systems and stealing information from
where we work, we don’t usually suspect the people we work with as the
guilty parties.

But insider threats are in fact a very real and growing challenge. SANS
Institute surveyed
<https://www.sans.org/reading-room/whitepapers/analyst/insider-threats-fast-directed-response-35892>
nearly 800 IT and security professionals across multiple industries and
found that 74 percent of respondents were concerned about negligent or
malicious employees who might be insider threats, while 34 percent said
they have experienced an insider incident or attack.

One potential method of attack is visual hacking, which is defined as
obtaining or capturing sensitive information for unauthorized use. Examples
of visual hacking include taking photos of documents left on a printer or
information displayed on a screen, or simply writing down employee log-in
information that is taped to a computer monitor. The visual hackers
themselves could be anyone within an organization’s walls, including
employees, contractors or service vendors, such as cleaning and maintenance
crews, and even visitors.

In the Visual Hacking Experiment
<http://news.3m.com/press-release/product-and-brand/new-study-exposes-visual-hacking-under-addressed-corporate-risk>,
a study conducted by Ponemon Institute and jointly sponsored by 3M Company
and the Visual Privacy Advisory Council, white-hat hackers posing as
temporary or part-time workers were sent into the offices of eight
U.S.-based, participating companies.

The hackers were able to visually hack sensitive and confidential
information from exposed documents and computer screens. They were able to
visually hack information such as employee access and login credentials,
accounting information and customer information in 88 percent of attempts
and were not stopped in 70 percent of incidents.

*Assess and Adapt*

The best place to begin clamping down on visual privacy threats, no matter
what industry you work in, is to perform a visual privacy audit. This will
help you assess your key-risk areas and evaluate existing security measures
that are in place.

Some questions to consider when conducting a visual privacy audit include:

   - Does your organization have a visual privacy policy?
   - Are shredders located near copiers, printers and desks where
   confidential documents are regularly handled?
   - Are computer screens angled away from high-traffic areas and windows,
   and fitted with privacy filters?
   - Do employees keep log-in and password information posted at their
   workstations or elsewhere?
   - Are employees leaving computer screens on or documents out in the open
   when not at their desks?
   - Do employees know to be mindful of who is on the premises and what
   they are accessing, photographing or viewing?
   - Are there reporting mechanisms for suspicious activities?

In addition to identifying areas where visual privacy security falls short,
a privacy audit can help managers to make changes or additions needed to
your organization’s policies and training.

Policies should outline the do’s and don’ts of information viewing and use
for employees and contractors both in the workplace and when working
remotely. Additionally, visual privacy, visual hacking and insider threat
awareness should be made an integral part of security training, and
reinforced through refresher training and employee communications.

*Standard best practices*

The specific measures you take to defend against visual hacking from
insider threats will be unique to your organization or industry. For
example, health care organizations
<http://www.ecfr.gov/cgi-bin/text-idx?SID=cb9bd76e377bb306ee49069485dda775&node=45:1.0.1.3.78&rgn=div5#se45.1.164_1530>
are mandated under HIPAA to use administrative, physical, and technical
safeguards to ensure the privacy and security of PHI in all forms,
including paper and electronic form. But *all* organizations have the duty
to protect customer and employee information, the organization’s
intellectual property, confidences, and privacy interests. Standard best
practices that apply to nearly every organization include:

   - A “clean desk” policy requiring employees to turn off device screens
   and remove all papers from their desks before leaving each night.
   - Requirements for masking high-risk data applications to onlookers
   using strategies from most secure to least secure.
   - Make shredders standard issue to all on-site units, especially nearby
   copiers, printers, faxes and a prerequisite for all who qualify to telework
   or qualify to use secure remote network access to corporate information
   assets.
   - Install privacy filters on all computers and electronic devices, both
   in the office and while working remotely, where sensitive data is extremely
   vulnerable. Privacy filters blacken out the angled view of onlookers while
   providing an undisturbed viewing experience for the user, and can be fitted
   to the screens of desktop monitors, laptops and mobile devices.

The growing problem of insider threats shouldn’t instill fear and suspicion
in workers about the people they see and talk to every day while on the
job. However, workers should understand that the threat is real and that
they play an important role in helping protect their company’s sensitive
data – and that of their customers – against this increasingly prevalent
problem.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!