Spam, ransomware, phishing, spear phishing and SQL injection are all known attacks which can, and do, breach company and individual security. However QA finds many people do not think about the physical element (what can be physically seen and heard). Firewalls, antimalware, two factor and authentication do not protect against someone over-hearing a conversation, or seeing a screen. It is often said “people are the weakest link”.
Loose lips sink ships
A QA cyber expert was on a flight from a London airport to another location in the United Kingdom, and observed someone unlock their phone, from three rows back on the plane. This was the pattern:
Let’s consider for a second what a criminal actor could do, if it was them who had observed the unlocking, rather than QA’s expert.
Perhaps the phone belonged to a solicitor, who had worked on sensitive cases. The phone is therefore likely to contain much sensitive information that is potentially of interest to one party in the deal. How would a hacker go about gaining access to the target’s phone?
Step 1, Open source intelligence: On the law firm’s website, it talks about the deal and names this man as the solicitor participating in this high profile deal. The website lists his details, a Vcard and LinkedIn profile. Scour social media profiles and see where he lives, and timings.
Step 2, Observation. Put the office under surveillance, find out when he comes in and leaves, and where he goes to drink. One day tail him somewhere, visibly see his smartphone’s swipe pattern (it was, after all, visible from three rows back on a plane) and note it down. Leave him be.
Step 3, Intervention. Another day, stage a mugging and steal his phone.
The phone can be accessed with the swipe pattern, and with no technical wizardry, and the hacker has now broken through all of the other defences without leaving a trace on the law firm’s network.
The same applies to people carrying documents, or reading emails on a laptop or smartphone and entering passwords on a tablet or laptop. Every so often a government document is leaked as carried into a meeting, caught out by the long lens of a photographer outside No.10 Downing Street. Ministers may now be careful and carry documents in an envelope, but QA’s experts have observed multiple examples of people reading sensitive documents on paper or laptops whilst on public transport (including sensitive government documents).
Protecting information responsibly
The defences against such attacks are simple.
First, organisations should work to change norms and behaviours in their teams. Individuals should be aware of their surroundings, and the risks of conversations being overheard, or screens being seen. Raising awareness should be the first priority.
Second, a range of very-simple ‘off-the-shelf’ tools are available to reduce the risk. Most mobile phones now have fingerprint or face recognition, and using this reduces the risk that a passcode is stolen. Ensure all phones and laptops have privacy screens, limiting the angle of vision. Carry documents in envelopes.
These are low cost solutions, to what could be a very expensive problem. Data security doesn’t just mean high-tech; behavioural solutions are required too.