This is a post I have been meaning to write for a while and it seems a worthy distraction from the Ethics essay I am currently supposed to be writing (read: Richard is procrastinating).

Something which I think is often underestimated is the risk to corporate data when it leaves the building, be it on backup tapes, other removable media or in a slightly different sense on the screens of employees who catch up on work during their trip to and from the office. Ease of access to the internet afforded by technologies such as 3G mean that people are more and more using their daily commute to carry on business activities. The benefit of dedicated office space, even open plan, is that it affords a level of physical security for an organisation’s information; it is much harder for an outsider to read over someone’s shoulder in the office than on the train. This situation is not limited to public transport, cafes and fast food outlets with wireless access points are subject to this weakness too. It is amazing the information that one can glean sitting next to someone naively tapping away at an email on their laptop, I have seen people reading marketing and sales reports (the most recent example was a survey post a product recall) as well as business email and other documents that their employer would probably regard as sensitive. If you watch carefully you will be able to observe addresses for SSL VPNs, Outlook Web Access and other webmail pages, usernames and internal software in use, even source code for internal applications and web pages, all useful to an attacker in one way or another.

Obtaining information in this way can be of use to both the opportunistic attacker, casually observing that company X is about to launch an advertising campaign to pre-empt some negative publicity or is using an out-dated version of a particular piece of software, and the attacker with a specific target in mind tasked with obtaining information about a competing company. The approach each takes will be somewhat different but the end result is the leakage of information from a company’s network that Data Loss Prevention systems are currently unable to protect against and which the target may never be aware of.

This lack of physical security facilitates compromises which require no technical hacking skills (after all, the target is doing the hard work of gaining access to the network for you, though granted, you are limited to what they are accessing at the time), are very difficult to detect and have the potential to be extremely damaging. This type of compromise is in fact a form of social engineering attack and while there is a certain amount of subtlety required, it is surprisingly little in most cases. As with any social engineering the best form of defence is awareness and education, you are not going to stop people from working on the way home (it’s much more appealing that doing it when you get home) but if they are aware of the possibility perhaps they will think twice before opening that strategy email.

I’m sure that this kind of surveillance is nothing new but it is, perhaps, something which is underestimated when considering the protection of sensitive information.