Vulnerabilities / Threats //

Insider Threats

2/24/2015
10:30 AM
Larry Ponemon
Larry Ponemon
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

From Hacking Systems To Hacking People

New low-tech attack methods like 'visual hacking' demand an information security environment that values data privacy and a self-policing culture.

Forty-four trillion gigabytes. That’s the anticipated size of the “digital universe” by 2020, according to the IDC Digital Universe Study. Encompassing all data created, replicated, and consumed in one year, this digital universe is largely created and used by a company’s workforce, but the task of protecting this enormous amount of data from hackers falls largely to IT security teams.

Data security professionals have built up sophisticated defenses against hackers targeting company networks and systems through high-tech attacks. However, as we layer cryptography with firewalls, intrusion detection systems, and other defenses, hackers will need to identify a new access point to proprietary company information and I believe we’ll soon begin to see a profound shift from malicious parties hacking systems to hacking people.

It’s no secret that human error is a weak point in the data security pipeline. Ponemon Institute recently completed new research that illustrates just how easy it can be to hack people through visual hacking - a low-tech method used to capture sensitive, confidential, and private information for unauthorized use. During the 3M Visual Hacking Experiment, a white hat hacker was sent into the offices of eight companies throughout the U.S., under the guise of a temporary or part-time worker to try and hack sensitive or confidential information using only visual means. The information captured includes employee contact lists, customer information, corporate financials, employee access and login information, and credentials or information about employees.

The findings shed light on the potential impact of hacking people: in 88 percent of attempts, the white hat hacker was able to visually hack sensitive information from a worker’s computer screen or hard copy documents. With identity and access information or login credentials (really, the “keys to the kingdom”) in the hands of the bad guys, our corporate data is at serious risk for a much larger data breach. Unfortunately, these hacks generally happened quickly (63 percent were within a half hour) and went unnoticed (in 70 percent of instances, the visual hacker wasn’t stopped by employees – even when using a cell phone to take a picture of data being displayed on a worker’s screen). Virtually untraceable, visual hacking is a stealth threat vector to guard against as employees are more mobile and data is being accessed not only in the office but also in public places like airport lounges, public parks and coffee houses.

Source: 3M Visual Hacking Experiment
Source: 3M Visual Hacking Experiment

However, visual hacking is just one example of hacking people. Employees can be targeted through other relatively low-tech means like social engineering and spear phishing. Insider threats are also an increasing area of concern. As seen by reports that the high-profile Sony attack was possibly aided from the inside, employees driven by contempt for their employers or motivated by monetary gain have the intelligence and means to thwart many of the data security measures that companies have in place.

Looking to the future, what can companies do to mitigate the risk of their people being hacked? Protecting against these threats will require new thinking and a greater commitment from the workforce at large. Defenses for hacking networks are largely passive for workers and can often operate with minimal interference to day-to-day tasks but to protect against hacking people, IT Security teams will need a consistent and robust defense-in-depth plan, with increased buy-in from employees across all levels and functions.

A shift in corporate culture toward an environment that values data privacy and security is imperative. Focus on changing people and changing behaviors toward the belief that protecting company data is everyone’s responsibility. IT security teams must work with leadership in all areas to encourage candor, even praising employees when they bring forth information on holes in data security plans or report employees with possibly nefarious intentions. A self-policing culture can help mitigate risks, as can a thorough assessment of the access to data needed by employees of certain functions and levels.

Companies can also provide employees with certain tools to thwart hacking people. In the example of visual hacking, provide employees with privacy filters for device screens and lock boxes for physical documents to shield information from wandering eyes. Finally, policies and procedures should reflect measures to protect against hacking people. Employee training sessions on these threats and ongoing communication plans reinforce the company’s commitment to safeguarding confidential information.

As technology progresses, the digital universe will continue to expand exponentially. However, by protecting both people and systems from hacks, IT security teams can protect against the growing number of cyber-attacks moving forward.

Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and a privacy consultant for 3M. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
3/2/2015 | 12:14:05 AM
Watch your back low-tech-wise.
Reminds me of a story a friend recently told me.  Sitting at an airport gate not too long ago, she watched as a mortgage executive sitting next to her with a bag full of sensitive PII documents (FNMA 1003s and the like) left his bag behind on his seat while he went to the bathroom.

Fortunately, nothing happened, but for all he knew, she or some other person could have easily flipped through the documents or even stolen them, snagging people's SSNs and other PII.
starace
50%
50%
starace,
User Rank: Apprentice
2/28/2015 | 10:18:41 PM
Hacking and Loyalty
This was an interesting article and I can see how easy it easy for a company to get hacked. It makes you wonder about all the temps that are hired in a company. Are they really in need of a job or are they on a recon mission.

As for training or "arming" the employees with information about social engineering practices or visual hacking, why should an employee care? I remember back in the 90's when companies let go of tens of thousands of people and began cutting back on benefits and increasing demands and took away pensions to the point where job loyalty has become non-existent. It is rare to find a company that truly cares about its employees. This has led to high turnover. High turnover with many disgruntled employees looking for a way to screw their former boss or company. Even if they are not disgruntled, why should the employee be loyal or even care if someone was hacking the company. Employees just keep their mouths shut and pretend nothing happened. They are only interested in getting their paycheck and not making waves. How are we to get these employee on our side?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/26/2015 | 2:19:26 PM
Re: The anatomy of a data breach
@EmilyAmber: Thanks for this info/link.  Very helpful.

I know a number of people who work or have worked at McGladrey.  Feel free to connect.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/26/2015 | 12:44:02 PM
Re: this reminds me...
My guess, for the majority of typical end-users its: overwhelmed.
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
2/25/2015 | 10:07:26 PM
Re: this reminds me...
To piggyback on your question about people perhaps underestimating the classics - something I have seen when conducting similar tests has been that many employees who feel overwhelmed by policies and security requirements resort to more old-school methods of data control. The classic "I can't ever remember my password so I put it on a sticky note on the screen" issue. I wonder how many of these problems are negligence vs. lack of awareness of the threat vs. just being overwhelmed?
dav92178
50%
50%
dav92178,
User Rank: Guru
2/25/2015 | 11:40:49 AM
Data in the 3M report
I'm confused; on page 2 it reads, "The researcher was not permitted to capture images by camera or scanning technologies."  Yet on page 3 it reads, "Here, the researcher used his or her smart phone's digital camera to take pictures of what appeared to be business confidential information on the computer screen or terminal."  These facts appear to be in conflict.

I found Figure 10 to be the most disturbing, but I am curious to know more details around this.  Such as which industries responded during each task (or not at all).
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
2/25/2015 | 11:12:44 AM
this reminds me...
...of those "clean desk" lessons that used to be more common in security awareness programs. As a naturally messy person, I always rejected that idea, and decided it was better to keep a super-messy desk on which nobody could find anything.  :)   Larry, do you feel that as people become more aware of cyber-threats that they forget/underestimate the power of old-school social engineering?
EmilyAmber
50%
50%
EmilyAmber,
User Rank: Apprentice
2/24/2015 | 11:12:33 AM
The anatomy of a data breach
Good information from the study, Information security can be managed by implementing multi-level  authentication and firewall system that can protect the data from the hackers. I work for McGladrey and we have an infogragh in our website.   bit.ly/mcgldrydatabreach
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6705
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.
CVE-2018-15717
PUBLISHED: 2018-12-12
Open Dental before version 18.4 stores user passwords as base64 encoded MD5 hashes.
CVE-2018-15718
PUBLISHED: 2018-12-12
Open Dental before version 18.4 transmits the entire user database over the network when a remote unathenticated user accesses the command prompt. This allows the attacker to gain access to usernames, password hashes, privilege levels, and more.
CVE-2018-15719
PUBLISHED: 2018-12-12
Open Dental before version 18.4 installs a mysql database and uses the default credentials of "root" with a blank password. This allows anyone on the network with access to the server to access all database information.
CVE-2018-6704
PUBLISHED: 2018-12-12
Privilege escalation vulnerability in McAfee Agent (MA) for Linux 5.0.0 through 5.0.6, 5.5.0, and 5.5.1 allows local users to perform arbitrary command execution via specific conditions.