Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Beware the 'visual hack'

Taylor Armerding | March 17, 2015
The most common form of human hacking is social engineering. But that doesn’t mean there is no danger from old-fashioned physical spying in your office.

When it comes to cybersecurity, people are the biggest problem. Or, you could make that "problems."

At least machines or computers will do what we tell them to do -- unless somebody else sneaks in and tells them to do something different. People, not so much -- even if their intentions are good. They forget, get careless, get fooled or, in some cases, turn malicious.

And there are many different ways to fool them, which is why experts are essentially unanimous that the "human element" is the weakest link in the security chain.

The bad guys know this as well, of course, and with security technology improving, have focused on that weaker link: Instead of hacking the system, they hack the human.

The most common way to do it is through social engineering -- tricking people into clicking on a link that appears to be from a legitimate vendor, on a legitimate website or in an email from a "trusted" source.

Indeed, it is social engineering that tends to be the major focus of security awareness training.

Larry Ponemon, chairman and founder of the research firm Ponemon Institute, doesn't take issue with that. But he contends that organizations and individuals need to focus on "visual hacking" as well.

In a recent blog post, Ponemon even wrote that, "we'll soon begin to see a profound shift from malicious parties hacking systems to hacking people."

Other experts, and Ponemon himself, agree that the shift has been under way for some time. Visual hacking is nothing new. It long predates the digital era. David Monahan, research director, security and risk management at Enterprise Management Associates, calls it, "the oldest form of hacking. It has existed since there were three people, something to write on and a secret two of them wanted to keep," he said. "We usually call it shoulder surfing."

But most of the warnings about shoulder surfing are aimed at those who use their mobile devices in public places -- airports, parks or coffee shops with free WiFi -- where hackers try to pick up credentials or other sensitive information simply by looking at an unguarded screen.

Ponemon's post was more about visual hacking in the office. He wrote of a recent research experiment his company did, sending a white-hat hacker into the offices of eight U.S. companies, under the guise of a temporary or part-time worker.

"(I)n 88% of attempts, the white-hat hacker was able to visually hack sensitive information from a worker's computer screen or hard copy documents," he wrote. That information included, "employee contact lists, customer information, corporate financials, employee access and login information, and credentials or information about employees."


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.