Information Security Advisor
August 2015
A deeper look at
Nontechnical &
Physical Security
What is Physical Security?
Share with Care:
Keeping Personal Details
Off of Social Media
Asking tough questions you need to answer!
Dumpster Diving & Garage Door Hacking
Bed &
Breakfast
& Breach,
Oh My!
Tons
o
of tips t ur
yo
beef up nical
nontech savvy!
security
Good security comes from
timely response.
What the bad guys can
do without a computer
Report security incidents
immediately!
Nontechnical and Physical Security
“There are so many physical
security aspects to data protection, it
ought to never be considered merely an
IT security issue."
Too often we hear people say things like, “Oh, I don’t know anything
about security because I’m not technical.” We hear family members use their
lack of computer savvy as a reason for poor security choices. Our friends
look at us with glazed eyes whenever we mention “information security”
or “security awareness” because, to them, it sounds like we’re going to start
spewing technical jargon. Too many people hear ‘security’ and instantly shy
away from it for fear that they won’t understand it.
Maybe you even find yourself thinking from time to time, “I could
never understand all of that. I’ll let someone else worry about it.” Maybe
it’s daunting to set up a secure wireless network or think about installing a
firewall when you’re not entirely sure how they work.
But guess what? Security is much more than technical controls. While
there are highly complicated technical aspects to securing networks and
protecting data, there are many other components to strong security that
don’t involve technical savvy at all! Security is something that everyone can
play a role in, even without knowing the ins and outs of the internet or how
computers work.
When we look at the three domains of security - cyber, human and
physical - we can see many examples of nontechnical security awareness
in each. We know to backup our personal digital files and not to click on
phishing links in the cyber domain; we stay on the lookout for social
engineers and pretexting scams in the human domain; but the physical
domain is chock-full of so many great nontechnical lessons (Clean
desks! Shredding! Situational awareness! Locked Doors!) that we’re going to
have to look at several of them in more detail.
You play a key role in the security of our organization
and your family’s assets. It doesn’t matter if you can
program your own apps or don’t know what TCP/IP
stands for. By focusing on nontechnical and physical
security, your security awareness will greatly improve!
- Steven Hunt, Hunt Business Intelligence
c area,
a publi
ing in t overhear
lk
a
t
n
e
h
no
ip 1: W so others can information.
hnical T
onal
rs
e
Nontec r voice down
p
r
ou
work o
keep y
nsitive
ially se
t
n
e
t
o
p
Nontech
nical Tip
6: Keep
a clean
desk.
and
ip 178: Know
T
al
ic
hn
ec
nt
o
N
!
policy at work
follow badge
Nontechnic
al Tip 53:
Protect yo
ur
device with
a lockscree mobile
n.
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
What is Physical Security?
The physical domain is often overlooked because many people think “physical security” means security
guards and cameras. With an emphasis on technical controls, many people tend to neglect physical
concerns to their own detriment. Physical security encompasses a wide range of scenarios in all three
of our security lives. Let’s take a look at some of them. How would you answer these questions?
Professional
Personal
Mobile
Who has access to your building?
Who has access to your home?
Who has access to areas in which
sensitive data is kept?
How secure are the doors and
windows of your home?
Who has access to your mobile
devices?
How do you control who has
access?
How do you protect physical
sensitive documents (medical,
financial, etc.)?
Do you keep a clean desk?
How do you protect computer
screens on site?
How do you store/transport hard
copies of sensitive data?
Do you know and follow
shredding policies at work?
Where do you store physical
backups of important data?
Do you shred sensitive
documents before tossing them?
Does your family have a disaster
recovery plan?
Do you use lockscreens on all of
your mobile devices to prevent
unauthorized access?
What do you do in the case of a
lost mobile device?
How do you protect mobile
devices while traveling?
Are you alert to who can read
your screen when you’re using
your device?
Smart Phone, Smarter Thief
A colleague told us this story about what recently happened to her
aunt. While it’s terrible and cost her family member a lot of time,
money and pain, it offers some important nontechnical security
awareness lessons for us all:
My aunt had her purse stolen a couple weeks ago. Everything was in it – phone, credit
cards, wallet, some cash. As soon as she could, she found someone to let her use their
phone to call my uncle to let him know what had happened. She expected him to be
surprised but he said calmly, “I know, honey. It’s awful, but I already got your text
asking for our PIN, and I replied a while ago.” She flipped out saying, “My phone
Nontechnical Tip 35:
Never leave
mobile devices unatten
ded,.
was IN MY PURSE.” He realized what had happened, and they rushed down to
their bank. They found out that ALL of the money in their account had already been
withdrawn. The thief had figured out the right person to text for the PIN by looking in
the contacts on my aunt’s cell phone and finding “Hubby.” Less than an hour later, he was
able to steal all of their money. How awful is that?
When someone asks you for sensitive
information through text messages, do not
respond. Immediately call them to confirm.
Avoid disclosing the relationship between
you and the people in your contact list. Use
their real names instead of “Home”, “Missus”,
“Hubby”, “Dad”, “Mom”, etc.
asswords
49: Useroptect your
ip
T
l
a
ic
n
Nontecher possible to pe is lost.
wherev if your phon
privacy
If you receive a text unexpectedly from friends/
family asking you to meet them somewhere, call
them back to confirm!
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
Break-In Prevention: Physical security covers everything from situational awareness to protecting hard
copies of confidential information. But it’s also about keeping physical spaces safe from intruders. Garage
doors are one of the weakest spots on our homes and present an easy target for thieves. Do you often leave
the garage door open? Do you leave the remote in your vehicle? The guys at Imminent Threat Solutions
provide ten excellent tips for safeguarding your home by protecting your garage: http://tinyurl.com/pycgsjj
Bed & Breakfast & Breach, Oh My!
One of our colleagues recently stayed at a Hilton
hotel. On the morning of his departure, he found
his bill, with all his details, on the door knob… on
the hallway side of his door. The public hallway. He
saw that every door had an invoice, each with PII
(Personally Identifiable Information) details of the
guests, just waiting for a bad guy to come along and
take the info he needs to commit identity theft on
any one of those unsuspecting hotel guests.
Take a look at the image of his bill (with his
personal details redacted).
What should you do if you experience this? Talk
to the hotel manager, then contact the hotel (or any
similar establishment), and let their headquarters
and management know what happened. If that’s
too much effort, or if you can’t get an appropriate
response, just post your complaint to their Facebook
page or tweet at them. You WILL hear from them.
Is Dumpster Diving Really A Thing?
Yes! It is an old school tactic, but it’s still a common place to find food and
resellable goods tossed by retailers. Organizations need to be aware of how
much valuable confidential information is thrown out in a physical form.
Employee records, customer data, financial transactions... so many pieces of
PII can be found on pieces of paper that get routinely tossed. It just takes
someone with a little patience and who doesn’t mind getting dirty to find them.
Is Dumpster Diving Legal?
The legality of dumpster diving is a little iffy. It’s totally illegal in some
countries, including Italy and Sweden. In others, such as Canada and
Germany, it depends more on the context of what was taken; if it was
something of low value, the divers may not be prosecuted. While some
divers have been prosecuted for theft, there is no common law expectation
of privacy for discarded materials in the U.S.
The best defense for protecting yourself, your organization and your family from dumpster divers is to shred confidential documents before disposing of
them. Check out this video to see what kind of information can be found in a dumpster: https://www.youtube.com/watch?v=VgtqWnuN1W4
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.
We all love that social networks like Facebook and Instagram allow
us to share the joy in our lives with our friends and family. We
must remember to consider what we’re posting in such a public
forum before doing so. When you post personal information such as
birthday, mother’s maiden name, or even your travel plans, you’re
giving away information that someone could use against you. Never
publicly post answers to security questions. Never publicly post
passwords. Never post confidential work-related information.
“People love to post their tickets that have their first name/last
name and confirmation number ALL over social media,” says
security professional Jonathan Finney. With the information that
people put out there, he “can change their flight, change their
seats, make special requests like handicap services or other odd
things.” One of our colleagues found this photo in her Facebook
newsfeed. One of her friends posted it, excited about her upcoming
trip, without thinking about the security implications. We’ve blurred
the information, but it includes her first and last names, the places
she’s traveling from and to, the flight number, the gate number, the
date, her confirmation number and the ticket number.
Using common sense does not require any technical prowess.
Thinking about what kind of information you’re posting is a very
important nontechnical security skill to have in your arsenal. Save
yourself from identity theft and embarrassment by saying less!
Video to Watch: No Tech Hacking
This talk by the well-known whitehat hacker, Johnny Long, founder of
Hackers for Charity, from the 2007
Defcon Hacker conference is an eyeopening look at the nontechnical hacking
tactics that the bad guys can use against
you. He uses visual examples of people
leaving valuable, personal information out
in the open, and how this information
Nontec
hn
photos ical Tip 291: N
of payc
e
hecks o ver post
nline!
your
: Teach I!
2
9
2
PI
Tip
chnical of posting
e
t
n
o
N
ks
he ris
kids t
Nontechnical & Physical Statistics
of business owners and
of small
70 million
business
employees now use personal
37%
owners
DON’T have a policy for
confidential data storage &
destruction.
smartphones
are lost each year
and only 7% are
62%
mobile devices for work.
Make sure you know and follow all
recovered . work-related mobile device policies!
can be used for nefarious purposes. You’ll
certainly rethink how much you share in
public. Definitely worth a watch!
http://tinyurl.com/notechhack
according to a new report released by the US law firm
BakerHostetler, The number one cause of data security
incidents is
Human ERROR
Ref: http://tinyurl.com/neujuaw • http://tinyurl.com/pqqympy
http://tinyurl.com/qeyyqce • http://tinyurl.com/o42r8sy
Advice and articles are for information purpose only and intended as general safe practices.
Please follow and adhere to applicable company policies.