Information leaks (remix no tech hacking for Secus)
Translation courtesy of Steven McElrea
For several years now, organizations have been investing enormous amounts of money in protecting their Information. Implementations of firewalls, antivirus and intrusion detection systems are a clear indication of their efforts. Today’s security officers are now in better control and understanding of their infrastructure, which should be sufficient in regards to security. Unfortunately, even in the presence of growing security practices there remains one fundamental flaw… Human.
As a result, people tend to quickly become complacent, even in public places, in situations where they are in a habit of feeling safe and secure. Laptops, mobile devices are all instigators of such behaviour. This gives users a false sense of security, as if they were at home or in the office. Lowering one’s guard can have disastrous consequences. Is it not true that obtaining relevant information on the competition is the first step towards winning the battle?
Here for you are 2 examples, so as to drive the point across that one needs to be “on the ball” on this. First an office building, the second makes reference to a train.
The Office, aka “Clean desk policy”
People tend to take for granted that no one is looking. So they leave in plain sight a slew of information on their desk and monitors for prying eyes to see; Information that could be considered confidential, possibly fueling a large scale attack against the organization. One does not need to be equipped like James Bond to easily gather this material. Take for instances this individual’s agenda in the picture below. This informs us of his schedule, his daily routine. This can help prepare a social engineering attack later down the road.
Trains, aka “Open Wi-Fi Access”
Public mode of transportation such as planes, trains and buses are interesting environments when it comes to observing and studying human behaviour towards the protection of information. Since people are forced to sit and wait, they work. From the moment they turn on their laptops they immediately fall back into their office routine. So any diligence, usually taken when in public, disappears. Many read email, usually containing sensitive information, or read documents and memos. Information which must not be read by outsiders…
The above image is interesting. It exposes another type of problem. Obviously the computer is equipped with a protective film on the screen. As shown, the owner is not taking the necessary precautions to correctly block prying eyes. A sense of security can sometimes push people to behave in unsecure manners, but that is left for another discussion.
We can assume the information stored on the laptop is of a certain value. If not the company wouldn’t have taken steps in protecting its content this way. Unfortunately the user wasn’t properly trained in using the protective measure and made aware of the value stored on the device. Result, the laptop is a prime candidate for theft.
Then there are the careless employees who leave their Facebook page open. Not to mention the wealth of information they tend to divulge about employers, contracts, current mandates all over the phone… in a plane. For a competitor, or even a client, all this information could be worth thousands if not millions.
These types of leaks aren’t exclusive to overly loud cell phone conversations or unattended computer screens. Sometimes important pieces of paper can find themselves right there, out in the open to be read by who-ever is looking in that direction.
Solutions
Each individual must be aware they are exposing valuable information when “plugged-in”. Training people to be more aware of their surroundings will help them be more vigilant when in public and other situations outside the office.
Everyone must be made to understand the reason why their employer’s information is important to keep safe. Once they comprehend the importance of the data they hold and the consequence if lost, users will naturally want to protect them.
We must all learn and adopt proper safe behaviour when it comes to protecting our information. It should be as obvious as locking one’s door or keeping one’s PIN secret.