Unknown Unknown Author
Title: How the open plan office is helping hackers
Author: Unknown
Rating 5 of 5 Des:
Introduction and rules needed The open plan office has become increasingly popular for businesses. Closed-off offices and cubicles are fast ...
How the open plan office is helping hackers

Introduction and rules needed




The open plan office has become increasingly popular for businesses. Closed-off offices and cubicles are fast becoming consigned to the history books, but this trend raises a very important question in terms of protecting sensitive information – just what data is exposed to hackers in the open plan office and how does the CISO manage this information security problem?




Last month, a study by AppRiver found that in practically every street visited in the City of London, home of many high-profile businesses and organisations, has at least one window (the good old fashioned glass variety) framing a user's screen on the first floor.




Just looking…




In fact, some of the streets surrounding Cheapside not only had screens noticeable on the first floor, but banks of them at street level too.




The research found that one corner, flanked by two different high-profile banking institutions, had over 150 screens between them on the ground floor, facing the street and just a few metres from the glass – half of which included a users' nameplate above the workstation. The firm says the practice leaves the organisations vulnerable to 'walk-by' data theft.




The survey found that hackers could potentially see credential 'log in' boxes, emails, what appeared to be corporate database entry screens and numerous 'documents' all visible to the naked eye. The study's findings point to a potential situation where a hacker with time and a zoom lens could potentially piece together the information needed to launch an attack against any of these organisations.




"Historically, if you wanted to rob a bank, you had to physically go into the branch and 'hold up' the staff. But with advances in technology, the money moved online and criminals simply followed," says David Liberatore, senior director of technical product management from AppRiver.




"As a result, and with the constant evolution of IT security enhancements, many of the virtual ways into these establishments are being systematically sealed with criminals looking for new ways to engineer their attacks and liberate the funds. What better way than collecting freely available information by looking through the physical windows of these businesses."




A minefield




Bob Massey, principal consultant of Compliance 3, a company that helps contact centres achieve and maintain PCI DSS compliance, says that as the open plan office can allow easy access to sensitive information, both basic and sophisticated methods and rules need to be implemented.




"Any open plan office has people walking around – some of these could be visitors, clients, job applicants, suppliers – any of which could take the opportunity to either capture data from conversations or pick up documents. To be safe, anybody in a location that they're not authorised to be in should be challenged, and sensitive or personal data removed from the equation," he says.




"The best businesses can do is make sure personal and payment data is inaccessible by staff. That means data is physically removed from the work environment and minimises the risks."







Checks and prevention




Guarding against visual hacking




Making note of sensitive, confidential and private information is a major risk to organisations. Workers move around, changing desks, making it all too easy for hackers to see stuff they shouldn't.




Jack Halewood, UK Account Manager of 3M Privacy Filters, points to research his firm commissioned which found there is an 80% chance that UK workers have already been victims of others reading over their shoulders.




"While it may be hard to pin down the contribution that 'visual hacking' makes to information leaks, the risk is real: after all, how many of us have been in a situation where we can easily overlook the content on someone else's screen?" he asks.




Halewood says he has heard of instances where information has been posted on social media as a result of someone's screen being viewed on a train, plus another example where another passenger suggested a spelling correction to a senior executive reviewing a document.




"While these are examples taken from public working environments, given the fact that many organisations have open plan working – often with visitors, contractors or suppliers walking through the building – the 'insider risk' is clearly there," says Halewood.




Preventing hackers leaving the office with important files




Erik Driehuis, EMEA vice president of Digital Guardian, says that in larger shared spaces, employees don't always know all of their colleagues, so wouldn't necessarily be able to spot an imposter on sight.




"Whilst there is currently no technology that can protect firms from thieves willing to memorise documents or write them out by hand, there is the technology that can protect the company data from unlawful removal, copying or destruction. This security sits on the files and documents themselves, blocking access to those without permission and preventing them being removed from the company server," he says.




He says he has heard of thieves converting sensitive files into JPGs, changing the name, putting it in a ZIP file and burying it inside a non-related folder, before trying to remove the whole lot from the server. In many cases, this would be a successful ploy. "However, if the sensitive file has been digitally stamped, then no matter how well hidden or buried it is, a thief would be blocked from transferring it onto a USB stick or emailing it outside of the company without permission," he says.




Checking employee behaviour




One of the biggest access control techniques which could help boost information security and minimise the usefulness of credential theft in an open plan office is behavioural analysis, says SecureAuth's CTO, Keith Graham.




"By continuously analysing aspects of the user's behaviour during normal use, including keystroke dynamics, cursor movement, window interaction, and by comparing this to a previous behaviour profile for that user, one can determine whether it's the legitimate owner of the credentials trying to access the system," he says.




Graham adds that if the legitimate user leaves a workstation unattended and an attacker attempts to use it, the continuous authentication can recognise that the new behaviour doesn't match that of the previous behaviour and take action accordingly, such as raising an alert and/or locking the endpoint to prevent further unauthorised access, or stepping the user up and prompting them for a second factor.




Educating users about the perils




With open plan offices now the norm, organisations need to have policies and procedures in place to define what information can be accessed and where to safeguard themselves against hackers walking through the office.




After all, do you know who is reading this article over your shoulder?











































From techradar





from http://bit.ly/1DmkMNE

Advertisement

 
Top