Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Protection of information from visual hacking

3M Privacy Filters : 20 May, 2015  (Special Report)
Peter Harley of 3M explains how companies could be losing information through leaving screens exposed to people able to see content over the users shoulder
Protection of information from visual hacking

Visual security has long been the poor relation to software in the information security industry, with many experts and users aware of the risk, but tending to spend more time (not to mention money) on other areas.  However, ‘visual hacking’ is becoming more of a focus, for a few reasons.

First, 2014 was variously called the year of the data breach or the year of the insider threat.  Regardless of labels, yet more high profile security scandals underlined the fact that much of the security risk stems from staff – usually inadvertently, occasionally maliciously – allowing confidential information to become vulnerable, whether through their own actions or through external parties impersonating legitimate employees.

This leads us to the second driver, namely that throwing lots of security into the mix is not – on its own – working and organisations are battening down all hatches in the threat landscape. Of course, there are multiple factors involved here and it would be simplistic to suggest otherwise, but organisations of all kinds are waking up to the fact that visual hacking is something that is relatively easy to fix.

Third, there is growing evidence that visual hacking is alarmingly easy to achieve and does not require the skills of an expert hacker.  Anyone armed with a smartphone that has an in-built camera can snap an on-screen image in seconds.  A recent study, sponsored by 3M, carried out by the Ponemon Institute in the USAbrought the scale of the visual hacking – or shoulder-surfing – risk into the spotlight, with 88 per cent of attempts by a white hat hacker to breach visual privacy proving successful.

Larry Ponemon, chairman and founder of the Ponemon Institute said: “In today’s world of spear phishing, it is important for data security professionals not to ignore visual hacking. A hacker often only needs one piece of valuable information to unlock a large-scale data breach.”

Infiltration

During the study, a penetration testing expert entered the offices of eight U.S.-based companies under the guise of a temporary or part-time worker.  He attempted to visually hack sensitive or confidential information using three methods: walking through the office scouting for information in full-view on desks, screens and other indiscrete locations, taking a stack of business documents labelled as confidential and, finally, using his smartphone to take a picture of confidential information displayed on a computer screen. All three of these tasks were completed in full-view of other office workers.

Here are some of the results:

An average of five pieces of information were visually hacked per trial – including employee contact lists (63 per cent), customer information (42 per cent) and corporate financials (37 per cent), employee access & login information/credentials (37 per cent) and information about employees (37 per cent) during any given hack

45 per cent of visual hacks took just 15 minutes – 63 per cent in less than half an hour

70 per cent of the time, the visual hacker was not stopped by employees – he was not challenged even when using a smartphone to take a picture of on-screen data.  Even when the visual hacker was stopped, he was still able to obtain an average of 2.8 pieces of company information.

53 per cent of information deemed sensitive was gleaned from a computer screen – this is more so than vacant desks (29 per cent), printer bins (9 per cent) and fax machines (3 per cent). Visual hacks were approximately a third more successful in open plan office environments.

Customer service roles were the most vulnerable – an average of 6.0 successful pieces of hacked information, compared to communications at 5.5 and sales force management at 5.2.  Interestingly, areas such as accounting and finance had lower averages of just 1.9 average successful visual hacks, and just 1.0 for legal, perhaps indicating that due to the highly sensitive nature of the information these departments handle, they are more aware of the need for information privacy.  Conversely, the higher rates among customer service, sales and communications staff would suggest that they are more lax about securing information visually.

Regardless of job function, the Ponemon Institute experiment shows how easy it is to compromise sensitive data.  Plus, while it is reasonable to assume that mobile workers are the most at risk from visual hacking – clearly the office space is also vulnerable.  Given that many organisations have visitors and contractors walking through open plan areas, this is understandable.  Plus, not all employees have equal access to all information: investments in privilege management software are undermined if a casual passer-by can still view confidential information displayed on a computer monitor.

Preventing visual hacking

While visual hacking can be very easy to carry out, it is also very easy to prevent.  Some financial organisations have mandated use of privacy filters and view visual privacy as an integral part of their commitment to FCA guidelines, while government offices including the Cabinet Office and the DWP have added reference to visual security and the use of privacy filters in their guidelines.  Other organisations are incorporating visual privacy as part of their ISO27001 compliance procedures.

Here are some simple steps that any organisation can take to improve its visual privacy.

Make visual security part of the overall security policy – it should be given the same importance as the whole security information and event management (SIEM) suite of security priorities.

Employee awareness and responsibility – make sure that staff understand the nature of the risk and their role in preventing visual hacks, whether in the office or working in public places.

Better processes - encourage clean desk policies, avoid printing of confidential documents unless absolutely necessary, paper should be shredded immediately, plus instigate more awareness of strangers in the building or even colleagues inadvertently seeing confidential information.

Make it harder – this is back-to-basics stuff, but screens that go into screensaver or power-save mode when unattended for a couple of minutes, then need log-in details re-entered, is simple but effective. Think about using privacy filters, which can be easily slipped on to desktop monitors, laptops, tablets and smartphones, so that only the direct viewer at close range can see the on-screen information (to anyone else, the screen will look blank).  The filters can be easily removed when necessary and have the added benefits of preventing scuffs and glare.

Visual privacy is of course just one of many security elements to consider, but it’s one that is often forgotten yet relatively easy to fix.  Given the vast amounts of effort and investment that go into security software, surely it makes sense to address this simple area of risk?

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo