Seeing Is Believing: Information Security Policy and the 'Visual Hack'

Seeing Is Believing: Information Security Policy and the 'Visual Hack'

"Visual hacking" is on the rise. Here's how better information security policy can reduce the risk.

Businesses are getting better at detecting and countering major cybersecurity threats. They understand the value of solid information security policy to safeguard against ransomware attacks and are now implementing effective employee training plans to reduce the efficacy of hackers' top method: phishing. As IT Pro Portal notes, 85 percent of firms have suffered phishing attacks (whether they know it or not), and combined with rising ransomware threats, it's no surprise that enterprise IT efforts focus on increasingly aggressive and sophisticated attacks.

The problem is that attackers aren't above using more low-tech methods to achieve their aims, too.

Here's what you need to know about one such method, "visual hacking."

Now You See It ...

The concept of visual hacking is simple: Malicious actors physically see what's on employee computer and mobile device screens or watch as staff enter their passwords for network access. Then they leverage this information to compromise key systems or blackmail businesses, often for bitcoin. According to Infosecurity Magazine, visual hacking is successful 91 percent of the time — and, as The Drum notes, 93 percent of visual hacks take less than 15 minutes. In most cases, employees aren't aware that anything untoward is going on, often because they're focused on their tasks.

What does visual hacking look like in practice? At the office, it might be a guest or contractor whose intentions aren't entirely aboveboard. They see something on computer screens (or sticky notes) that piques their interest and file it away for later. Outside the office, employees could be at risk using their mobile device when visiting clients or put themselves in the digital line of fire by accessing corporate data in public places such as coffee shops and airports. Simply put, if you can see what's on the screen, so can almost anyone else nearby — and their intentions aren't always benign.

What's Yours Is Mine

What are the potential outcomes of a successful visual hack? The best case scenario here is that staff notice someone snooping, close down any open applications and report the potential breach to IT.

But in other cases, malicious actors may capture smartphone images from screens that offer value, such as new product specifications or intellectual property data they could sell online or use as leverage for a payout from the affected business.

There's also potential here for credential hacking if attackers watch an employee enter their username and password, which could later be used to access corporate networks. Armed with critical data, hackers could compromise systems without IT knowledge, exfiltrate data or create persistent network back doors.

Hiding in Plain Sight

Visual hacks work. According to CFO, the Ponemon Institue's Global Visual Hacking Experiment found that white-hat hackers posing as temporary office workers (complete with visible security badge) were able to view and record sensitive data from a computer screen, place documents labeled "confidential" into a briefcase and take pictures of displayed data with smartphones — all without staff reporting anything suspicious.

So how does your organization write solid information security policy that addresses the risk of visual hacking? Here are four best practices to implement.

Lock it down

Limiting the number of active screens can help reduce the chance of visual hacking. Start with the tech side: Implement tools that force screen lockout after a specified period of inaction. Then, make it clear to employees that they should self-lock computers or phones whenever visitors are present.

Limit exposure

Simple policies such as using "screen shades" and even angling screens to face away from high-traffic areas can reduce potential exposure.

Clean house

Staff will often use sticky notes and sheets of paper to record information like usernames and passwords and then leave them lying in plain sight. Implement a "clean desk" policy to help limit the chance of data theft.

See something, say something

Employees are often wary about reporting suspicious behavior, especially if guests have been vetted and approved by C-suite members. Solve this problem by creating clear policy: If staff see something suspicious, they should say something. Treat employee concerns seriously and never assume any visitor is "off limits" because of their status or reputation. This will help ensure that staff feel comfortable reporting anything odd.

Visual hacks are low-tech but highly successful. Combat this unsightly infosec risk with improved information security policy.