Shut the blinds: why physical threats can't be forgotten in cyber security

Virtual Windows Sealed While Physical Windows Left Wide Open
Security needs to exist everywhere

With cyber criminals growing in numbers and sophistication, organisations are constantly reminded over the importance of their security strategy and having the right virtual defences in place to block adversaries.

But how often do we consider the physical vulnerabilities of our businesses when trying to protect crucial data? It's easy to forget that elements of cybercrime can take place in a physical realm and careless operations can be pounced upon by watching criminals.

David Liberatore, Senior Director of Technical Product Management at AppRiver, explains what kind of threats exist outside of the network.

TechRadar Pro: How is an organisation vulnerable from a lack of physical security?

David Liberatore: Historically, if you wanted to rob a bank, you had to go into the branch and 'hold up' the staff. But with advances in technology, the money moved online and criminals simply followed.

As a result, and with the constant evolution of IT security enhancements, many of the virtual ways into these establishments are being systematically sealed with criminals looking for new ways to engineer their attacks and liberate the funds.

What better way than collecting freely available information by looking through the physical windows of businesses?

TRP: What is the risk of screens visible from the street?

DL: The practice of spying on people through their windows is likely as old as windows themselves. It's the combination of an old technique and new technology that makes it dangerous.

Keep in mind that serious data thieves can devote as much time as necessary to collecting various pieces of information. Someone with malicious intent, time and a zoom lens can easily piece together the information they need, combined with technology makes it much easier and less risky for them to commit the cyber theft.

TRP: What sort of information can criminals collect?

DL: User credentials from 'log in' boxes, emails, corporate database entry screens, even every day 'documents' – in fact anything visible can all be pieced together to create a picture of the organisation and used to launch an attack against it. Even something as simple as a person's name above a workstation is useful to a criminal.

TRP: Surely, if they're not accessing sensitive data, then there's limited risk?

DL: Organisations exposing corporate information through an open window are perhaps more vulnerable than if they had a key logger installed at the back of the device.

Many organisations have become so focused on their virtual security, that physical practices are being ignored, and that means the very information they're trying to protect could be stolen by passers-by.

TRP: How can information be used to launch an attack against an organisation?

DL: An example of how an attack may manifest itself is akin to a 'confidence trick'. An employee is observed for a period of time, allowing the scammer to glean enough details about the individual's life to strike up a conversation at an unrelated opportunity – a bar, coffee house, etc. duping the employee with familiarity.

At the very least, the criminal will know the person's name and the company they work for but adding details learned from observed emails, company documents etc. could add weight to the conversation, trick the person into believing there's a relationship and ultimately fool them into disclosing additional information that's used in a targeted attack.

Another method is akin to the 'art of illusion'. The voyeur monitors, and then replicates, the typical emails received and read by the employee - from design to companies being dealt with, etc.

The scammer then creates and deploys a targeted spear phishing campaign to dupe the individual to treating the malicious message as benign and following the instructions.

If successful, the results could be catastrophic to the organisation involved. The infamous RSA breach is testament to the power of this type of attack method.

TRP: Is it just the organisation that's at risk?

DL: No, the employee too is at risk. Having monitored their habits, and using either of the techniques above, an employee could be duped into revealing enough information that allows the criminal to steal their identity and we all know the impact this can have on someone's life.

TRP: What can organisations do to limit the risk?

DL: The lesson here is that you need layers of physical and digital security. Employee training and physical security measures – such as installing blinds and making sure they're being used.

Turn desks so employees face out, and screens face in. Use technology, such as spam and virus filtering, web protection, encryption and endpoint security, to thwart virtual attacks. Ultimately, it's a combination of both and businesses can't afford to focus on one at the expense of the other.

TRP: What can employees, who's screens are visible from the street, do to help?

DL: Vigilance is the key. If someone that they don't know tries to 'befriend' them be guarded in their response – either in person, over the phone or even by electronic communication. Be wary of any unexpected emails, or any that don't look 'quite right'. If in doubt, check with the security team.

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.