Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

10:30 AM
Larry Ponemon
Larry Ponemon
Connect Directly
E-Mail vvv

From Hacking Systems To Hacking People

New low-tech attack methods like 'visual hacking' demand an information security environment that values data privacy and a self-policing culture.

Forty-four trillion gigabytes. That’s the anticipated size of the “digital universe” by 2020, according to the IDC Digital Universe Study. Encompassing all data created, replicated, and consumed in one year, this digital universe is largely created and used by a company’s workforce, but the task of protecting this enormous amount of data from hackers falls largely to IT security teams.

Data security professionals have built up sophisticated defenses against hackers targeting company networks and systems through high-tech attacks. However, as we layer cryptography with firewalls, intrusion detection systems, and other defenses, hackers will need to identify a new access point to proprietary company information and I believe we’ll soon begin to see a profound shift from malicious parties hacking systems to hacking people.

It’s no secret that human error is a weak point in the data security pipeline. Ponemon Institute recently completed new research that illustrates just how easy it can be to hack people through visual hacking - a low-tech method used to capture sensitive, confidential, and private information for unauthorized use. During the 3M Visual Hacking Experiment, a white hat hacker was sent into the offices of eight companies throughout the U.S., under the guise of a temporary or part-time worker to try and hack sensitive or confidential information using only visual means. The information captured includes employee contact lists, customer information, corporate financials, employee access and login information, and credentials or information about employees.

The findings shed light on the potential impact of hacking people: in 88 percent of attempts, the white hat hacker was able to visually hack sensitive information from a worker’s computer screen or hard copy documents. With identity and access information or login credentials (really, the “keys to the kingdom”) in the hands of the bad guys, our corporate data is at serious risk for a much larger data breach. Unfortunately, these hacks generally happened quickly (63 percent were within a half hour) and went unnoticed (in 70 percent of instances, the visual hacker wasn’t stopped by employees – even when using a cell phone to take a picture of data being displayed on a worker’s screen). Virtually untraceable, visual hacking is a stealth threat vector to guard against as employees are more mobile and data is being accessed not only in the office but also in public places like airport lounges, public parks and coffee houses.

Source: 3M Visual Hacking Experiment
Source: 3M Visual Hacking Experiment

However, visual hacking is just one example of hacking people. Employees can be targeted through other relatively low-tech means like social engineering and spear phishing. Insider threats are also an increasing area of concern. As seen by reports that the high-profile Sony attack was possibly aided from the inside, employees driven by contempt for their employers or motivated by monetary gain have the intelligence and means to thwart many of the data security measures that companies have in place.

Looking to the future, what can companies do to mitigate the risk of their people being hacked? Protecting against these threats will require new thinking and a greater commitment from the workforce at large. Defenses for hacking networks are largely passive for workers and can often operate with minimal interference to day-to-day tasks but to protect against hacking people, IT Security teams will need a consistent and robust defense-in-depth plan, with increased buy-in from employees across all levels and functions.

A shift in corporate culture toward an environment that values data privacy and security is imperative. Focus on changing people and changing behaviors toward the belief that protecting company data is everyone’s responsibility. IT security teams must work with leadership in all areas to encourage candor, even praising employees when they bring forth information on holes in data security plans or report employees with possibly nefarious intentions. A self-policing culture can help mitigate risks, as can a thorough assessment of the access to data needed by employees of certain functions and levels.

Companies can also provide employees with certain tools to thwart hacking people. In the example of visual hacking, provide employees with privacy filters for device screens and lock boxes for physical documents to shield information from wandering eyes. Finally, policies and procedures should reflect measures to protect against hacking people. Employee training sessions on these threats and ongoing communication plans reinforce the company’s commitment to safeguarding confidential information.

As technology progresses, the digital universe will continue to expand exponentially. However, by protecting both people and systems from hacks, IT security teams can protect against the growing number of cyber-attacks moving forward.

Dr. Larry Ponemon is the chairman and founder of Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices, and a privacy consultant for 3M. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
3/2/2015 | 12:14:05 AM
Watch your back low-tech-wise.
Reminds me of a story a friend recently told me.  Sitting at an airport gate not too long ago, she watched as a mortgage executive sitting next to her with a bag full of sensitive PII documents (FNMA 1003s and the like) left his bag behind on his seat while he went to the bathroom.

Fortunately, nothing happened, but for all he knew, she or some other person could have easily flipped through the documents or even stolen them, snagging people's SSNs and other PII.
User Rank: Apprentice
2/28/2015 | 10:18:41 PM
Hacking and Loyalty
This was an interesting article and I can see how easy it easy for a company to get hacked. It makes you wonder about all the temps that are hired in a company. Are they really in need of a job or are they on a recon mission.

As for training or "arming" the employees with information about social engineering practices or visual hacking, why should an employee care? I remember back in the 90's when companies let go of tens of thousands of people and began cutting back on benefits and increasing demands and took away pensions to the point where job loyalty has become non-existent. It is rare to find a company that truly cares about its employees. This has led to high turnover. High turnover with many disgruntled employees looking for a way to screw their former boss or company. Even if they are not disgruntled, why should the employee be loyal or even care if someone was hacking the company. Employees just keep their mouths shut and pretend nothing happened. They are only interested in getting their paycheck and not making waves. How are we to get these employee on our side?
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/26/2015 | 2:19:26 PM
Re: The anatomy of a data breach
@EmilyAmber: Thanks for this info/link.  Very helpful.

I know a number of people who work or have worked at McGladrey.  Feel free to connect.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/26/2015 | 12:44:02 PM
Re: this reminds me...
My guess, for the majority of typical end-users its: overwhelmed.
Kerstyn Clover
Kerstyn Clover,
User Rank: Moderator
2/25/2015 | 10:07:26 PM
Re: this reminds me...
To piggyback on your question about people perhaps underestimating the classics - something I have seen when conducting similar tests has been that many employees who feel overwhelmed by policies and security requirements resort to more old-school methods of data control. The classic "I can't ever remember my password so I put it on a sticky note on the screen" issue. I wonder how many of these problems are negligence vs. lack of awareness of the threat vs. just being overwhelmed?
User Rank: Guru
2/25/2015 | 11:40:49 AM
Data in the 3M report
I'm confused; on page 2 it reads, "The researcher was not permitted to capture images by camera or scanning technologies."  Yet on page 3 it reads, "Here, the researcher used his or her smart phone's digital camera to take pictures of what appeared to be business confidential information on the computer screen or terminal."  These facts appear to be in conflict.

I found Figure 10 to be the most disturbing, but I am curious to know more details around this.  Such as which industries responded during each task (or not at all).
Sara Peters
Sara Peters,
User Rank: Author
2/25/2015 | 11:12:44 AM
this reminds me...
...of those "clean desk" lessons that used to be more common in security awareness programs. As a naturally messy person, I always rejected that idea, and decided it was better to keep a super-messy desk on which nobody could find anything.  :)   Larry, do you feel that as people become more aware of cyber-threats that they forget/underestimate the power of old-school social engineering?
User Rank: Apprentice
2/24/2015 | 11:12:33 AM
The anatomy of a data breach
Good information from the study, Information security can be managed by implementing multi-level  authentication and firewall system that can protect the data from the hackers. I work for McGladrey and we have an infogragh in our website.   bit.ly/mcgldrydatabreach
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An invalid free in Thrift's table-based serialization can cause the application to crash or potentially result in code execution or other undesirable effects. This issue affects Facebook Thrift prior to v2021.02.22.00.
PUBLISHED: 2021-04-13
A UXSS was discovered in the Thanos-Soft Cheetah Browser in Android 1.2.0 due to the inadequate filter of the intent scheme. This resulted in Cross-site scripting on the cheetah browser in any website.
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.