Give me a couple of minutes and I'll slip through your virtual private network (VPN), bypass your firewall, blind your intrusion prevention system and negate your disk encryption. To add insult to injury, I'll do it in your office while we drink a coffee and talk about the ball game. I'm not a brilliant hacker, I'm just your friendly office insider.
To a social engineer intent on extracting data from a company, the modern office reads like an open book. Over-the-shoulder reconnaissance reveals what is available, where it is and who has access to it – all the ingredients an adversary needs to succeed at a data breach.
“Organizations that focus exclusively on network security may keep out external attackers, but that's not enough to prevent insider-driven breaches.”
– Bill Anderson, Oculis Labs
Organizations that focus exclusively on network security may keep out external attackers, but that's not enough to prevent insider-driven breaches. Without also protecting data-in-use on computer screens it's like locking the doors while leaving the windows wide open.
IT security practitioners tend to focus on networked security threats. Their daily routine consists of thinking about how to prevent hackers from stealing money and data, blocking services and damaging the corporate brand. Network security is still essential, but it's just not enough.
Let's talk about that ball game again. It's Monday afternoon and I cruise by your office. You turn around from your computer and we talk for a while. This sounds like no big deal, but while you're turned and talking to me I'm getting a perfect view of your computer screen. What's up on your screen right now? It could be nothing important, or it could be something very interesting. Let's say we're a public company, you're in finance and it's the end of a quarter. What is likely on your screen are our unreported financials – exactly what I need to do a little insider trading.
Every organization has its own sensitive data. Yours could be financial results or maybe patient records, credit cards, Social Security numbers, product plans, forecasts or engineering plans. Whatever it may be, chances are you did not intend to share everything with anyone who happens to get inside your office.
Studies of security breaches by the Secret Service, Verizon Business, Carnegie Mellon and others consistently reveal 30 to 50 percent of incidents are being caused by insiders. Social engineers, disgruntled employees, suppliers and competitors can be adept at maneuvering around strong controls to exploit points of weakness, including simply looking over someone's shoulder to steal information.
With insider incidents costing companies an average of $750,000 per year, the stakes are high. Even the U.S. government has recognized the issue and in 2010 updated the legal definition of computer trespassing to include “looking at a computer screen that an individual was not authorized to view.”
While the new statute makes it easier to prosecute social engineers, preventing them remains the primary challenge. What's lacking are technical security solutions to protect information over the last two feet of the network: from the screen to the user's eyes.
Awareness of the scope of insider breaches and their cost to companies and government continues to grow. Nowhere was this underscored more than by the WikiLeaks incident where large quantities of classified materials were exposed by the simplest of means. Despite years of emphasis and millions of dollars spent on information security, the State Department was embarrassed by a massive and unconscionable breach. Governments and businesses around the world are now pouring new resources into shoring up that weakness.
The trend in threat models is predictable: Insiders will persist in exposing the “low-hanging fruit” that is unprotected in our office environments. As organizations plan their security strategies they need to turn an eye toward observing the daily exposures taken for granted, and consider cost-effective solutions for minimizing unnecessary leakage.
Bill Anderson, founder and CEO of Oculis Labs, is a veteran security executive and cryptographer. He has bachelor and doctorate degrees in electrical engineering with a specialization in cryptography.