Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/23/2015
10:30 AM
Mari Frank
Mari Frank
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

A Hidden Insider Threat: Visual Hackers

Ponemon experiment shows how low-tech white-hat hackers, posing as temps, captured information from exposed documents and computer screens in nearly nine out of ten attempts.

When we think of hackers breaching systems and stealing information from where we work, we don’t usually suspect the people we work with as the guilty parties.

But insider threats are in fact a very real and growing challenge. SANS Institute surveyed nearly 800 IT and security professionals across multiple industries and found that 74 percent of respondents were concerned about negligent or malicious employees who might be insider threats, while 34 percent said they have experienced an insider incident or attack.

One potential method of attack is visual hacking, which is defined as obtaining or capturing sensitive information for unauthorized use. Examples of visual hacking include taking photos of documents left on a printer or information displayed on a screen, or simply writing down employee log-in information that is taped to a computer monitor. The visual hackers themselves could be anyone within an organization’s walls, including employees, contractors or service vendors, such as cleaning and maintenance crews, and even visitors.

In the Visual Hacking Experiment, a study conducted by Ponemon Institute and jointly sponsored by 3M Company and the Visual Privacy Advisory Council, white-hat hackers posing as temporary or part-time workers were sent into the offices of eight U.S.-based, participating companies.

The hackers were able to visually hack sensitive and confidential information from exposed documents and computer screens. They were able to visually hack information such as employee access and login credentials, accounting information and customer information in 88 percent of attempts and were not stopped in 70 percent of incidents.

Assess and Adapt

The best place to begin clamping down on visual privacy threats, no matter what industry you work in, is to perform a visual privacy audit. This will help you assess your key-risk areas and evaluate existing security measures that are in place.

Some questions to consider when conducting a visual privacy audit include:

  • Does your organization have a visual privacy policy?
  • Are shredders located near copiers, printers and desks where confidential documents are regularly handled?
  • Are computer screens angled away from high-traffic areas and windows, and fitted with privacy filters?
  • Do employees keep log-in and password information posted at their workstations or elsewhere?
  • Are employees leaving computer screens on or documents out in the open when not at their desks?
  • Do employees know to be mindful of who is on the premises and what they are accessing, photographing or viewing?
  • Are there reporting mechanisms for suspicious activities?

In addition to identifying areas where visual privacy security falls short, a privacy audit can help managers to make changes or additions needed to your organization’s policies and training.

Policies should outline the do’s and don’ts of information viewing and use for employees and contractors both in the workplace and when working remotely. Additionally, visual privacy, visual hacking and insider threat awareness should be made an integral part of security training, and reinforced through refresher training and employee communications.

Standard best practices

The specific measures you take to defend against visual hacking from insider threats will be unique to your organization or industry. For example, health care organizations are mandated under HIPAA to use administrative, physical, and technical safeguards to ensure the privacy and security of PHI in all forms, including paper and electronic form. But all organizations have the duty to protect customer and employee information, the organization’s intellectual property, confidences, and privacy interests. Standard best practices that apply to nearly every organization include:

  • A “clean desk” policy requiring employees to turn off device screens and remove all papers from their desks before leaving each night.
  • Requirements for masking high-risk data applications to onlookers using strategies from most secure to least secure.
  • Make shredders standard issue to all on-site units, especially nearby copiers, printers, faxes and a prerequisite for all who qualify to telework or qualify to use secure remote network access to corporate information assets.
  • Install privacy filters on all computers and electronic devices, both in the office and while working remotely, where sensitive data is extremely vulnerable. Privacy filters blacken out the angled view of onlookers while providing an undisturbed viewing experience for the user, and can be fitted to the screens of desktop monitors, laptops and mobile devices.

The growing problem of insider threats shouldn’t instill fear and suspicion in workers about the people they see and talk to every day while on the job. However, workers should understand that the threat is real and that they play an important role in helping protect their company’s sensitive data – and that of their customers – against this increasingly prevalent problem.

 

 

Mari Frank, an attorney and certified privacy expert, is the author of the "Identity Theft Survival Kit," "Safe Guard Your Identity," "From Victim to Victor," and "The Guide to Recovering from Identify Theft." Since 2005 she's been the radio host of "Privacy Piracy" a weekly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
12/24/2015 | 11:06:38 AM
Good advice
Privacy screens and all that are very important, but if I ever see someone with a post-it note of their login password (or heaven forbid, for their password manager) tacked to their monitor again, I'll pull my hair out. 

It's one of the worst security gaffs and so many people do it. It's a great indicator that we need to move beyond passwords as soon as possible.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .