Alfred Hitchcock was right to warn us to beware of strangers on a
train. The difficulty has always been that you cannot tell the good
guys from the bad, making commuting perilous for your company's
security, writes Stuart King
For an increasing number of commuters their train journeys are an
opportunity to plan the day's business, read and write e-mails or
perform other business-related tasks.
On my morning trip - the 6.42 from Hitchin to Kings Cross - I
decided to see what information I could glean by looking over the
shoulders of fellow travellers, mostly working on their laptop PCs,
and whether or not this information could pose a security threat to
their organisations.
I got off to a flying start. As I stood in the aisle, clasping my
coffee, I was clearly able to see the agenda for the day's business
meetings being organised by the employee of a well-known City law
firm. The e-mail contained his name, the names of the other people
involved in the meeting and the names of the clients.
Moving through the carriage, my attention was drawn to a woman
reading through a pile of CVs. Peering over the top of my Daily
Mail, I could see the name and address of the job applicant. I
could not deduce the company or position being applied for but I
could see the applicants' current position and employer.
Two blocks of seats away, another gentlemen used the password
"partytime" to log into his windows session, then proceeded to work
on a Powerpoint presentation about a forthcoming business
proposition. This included projected expenditure, the total budget
for the project and the hierarchy of the project team involved.
All of this information is a potential goldmine for anyone intent
on breaking into a network or committing other data-related
misdeeds.
As the train pulled into a station a new stream of commuters
boarded while others disembarked. While this was going on, a suited
lady slept, her laptop case resting on the floor in the aisle by
her seat.
The journey from the station to my client's office involves a walk
through the City's main financial district. As I wandered along the
pavement beside the Bank of England I was able to glance through an
office window where I noted the name card on a desk and the
operating system in use on the desktop PC - together with the
version of the e-mail client.
In an era where many organisations are investing money in state of
the art networks, intrusion detection solutions and other items to
add to the security infrastructure, the weakest link remains the
people we employ. The most securely stored data may be compromised
the minute the manager opens his laptop on the train or leaves
vital clues exposed on his desk.
Figures about how widespread the problem is are hard to come by,
but articles by the infamous hacker, Kevin Mitnick, who was jailed
for his data-related crimes, suggest that information gleaned from
looking over people's shoulders or other carelessness on the part
of end-users played a large part in helping him to get the
information he needed to commit his crimes.
A recent survey of 150 office workers passing through London's
Victoria Station, conducted by the organisers of the Infosec
security conference, underlines the problem. It found that
two-thirds of the respondents were willing to reveal their log-on
passwords in a questionnaire on office habits.
Making staff aware of the implications of, and accountable for the
outcome of their actions is a major part of IT security. Many
professionals see it as just as important as installing a firewall
or running anti-virus applications. An internal security awareness
scheme with related training complements the security policy. It is
an ideal means of informing users of their responsibilities as well
as maintaining the integrity of business information.
The information gained during my journey could be used in a variety
of ways. The names of personnel might be used in attempts to
"engineer" information from a company. Internet searches through
Usenet may reveal e-mail addresses and other pertinent information
about the tools that the business uses (for example, John Smith of
company XYZ may have asked a newsgroup for help with configuring a
firewall or router - it does happen).
Knowing the operating system that an organisation works with can
save the potential hacker time and allow him to deduce other
information about the network. Similarly, if Outlook is seen as
being the e-mail client, it is a sure bet that Microsoft Exchange
is working as the server.
Most serious of all, business-confidential information should not
be on display in train carriages at any time. It may end up as the
topic of conversation in the coffee room of your biggest rival.
Personnel issued with laptop computers have a responsibility to
look after them. Research from the Royal & Sun Alliance found
that 67,000 laptops were lost in the UK last year, while Thames
Valley Police estimate 8,000 went missing in their region alone -
including the case of one MI5 officer who lost his laptop on a
train. Many portable devices will hold sensitive information
potentially far outweighing the value of the hardware.
We cannot prevent people working in public places, but we can
dictate that they use common sense and take reasonable measures to
safeguard their equipment and company data.
Use the corporate security policy to state what an end-user's
responsibilities are. Most organisations these days have some form
of policy. I asked the staff of one recent client, "Can you tell me
where your security policy is?" Their response was worrying but not
unusual. Not only could no one tell me where the policy was, or
what its contents were: few employees were aware that there was
such a policy.
The policy itself was comprehensive and thorough, so far as it
went, but it did not cover use of laptops off-site, neither did it
cover working procedures outside of the office. It cannot,
therefore, be a surprise for an organisation to find that its plans
are being compromised on the morning train.
Risks to avoid while commuting
- Putting business-critical information on public view
- Showing personal e-mails
- Giving away passwords to prying eyes
- Exposing company information
- Falling asleep leaving business laptop in the aisle
- Allowing eagle-eyed travellers to view enough information to
mount a network attack.
Stuart King is an independent security consultant. E-mail:
stuart@semrauking.com
www.infosec.co.uk
Join the Computer Weekly Infosecurity User Group, free to anyone
with responsibility for IT security. For details e-mail :
cwinfosecurity@ rbi.co.uk