With the advent of nearly omnipotent video surveillance, the age-old saying “a picture is worth a thousand words,” scares me more today than it ever has. Many highways and most major metropolitan areas are largely covered by video, and thousands of homes have video surveillance.
Guess what? The vast majority of this material is uploaded to the internet. My four “digital native” children take pictures and video all the time to send to friends, solve problems through crowdsourcing, or just record for recall at a later time. Needless to say, there have been several high-profile court cases that were heavily swayed by, you got it, video, many times recorded by an innocent bystander.
So, why do I care about all this? In my opinion, this is an area of potential data loss or theft many of us information security practitioners are not giving enough attention. Let's talk about some of the risks and how they might materialize. Home video surveillance cameras spy on you as you work on your company machine at home, potentially recording data as well as account/password information as you log into company systems or your bank account. Given all those nasty security restrictions in place at the office to prevent you from emailing data or saving files into an Excel spreadsheet or downloading to a USB stick, perhaps you will perform a workaround and just snap a quick picture of the screen with all the customer data so you can MMS it to the helpdesk person to get assistance with an application problem.
Another possible scenario: The competition has finally offered me a new job I can't refuse. If I make my revenue numbers, their sales incentive program will double my salary. Given system restrictions and the likelihood that Big Brother is watching, I'll just video record all my customer information from my laptop screen. I can then convert it into my CRM system later.
These two examples serve as just a few models of how pictures/video can be easily exploited with or without malicious intent.
What can we do about it? We can disable camera and video capability on company-provided devices and collect all personal devices as people come in the door each day.
Seriously, as usual there is no perfect answer or magic silver bullet to deal with this rapidly evolving issue. However, we can provide education and awareness to senior leaders, IT personnel and end-users to make sure they understand the potential risk, work diligently to minimize the amount of sensitive or proprietary information displayed on screen, continuously strengthen access controls following a least privilege approach, and last but not least, help drive a clear definition of the company's crown jewels and work to make that information difficult to record.
Stay diligent my friends!