Global Visual HackingExperimental Study: AnalysisSponsored by 3M CompanyIndependently conducted by Ponemon Institute LLCPublication Date: August 2016Ponemon Institute Research Report
Ponemon Institute conducted a “white hat” experiment involving actual visual hacking in real workplacesettings located in eight countries. Our mission was to test organizations’ readiness to detect and preventvisual hacking in the business office environment. Ponemon Institute’s benchmark community members2were contacted for participation in this research.We recruited 46 companies that allowed us to field our experiment within actual office locations. As noted in3Table 1, a total of 157 trials were conducted. By design, all field experiments occurred on premises during4the normal workday.Table 1: Frequencies of companies and trialsActual number of companiesproviding office venues8685754346Country locationsUnited StatesUnited leted trials4323221817131110157Figure 1 shows the primary industry classification of 46 participating companies. Eleven industries arerepresented in this study. The largest segments are financial services, public sector and health andpharmaceuticals.Figure 1. Distribution of sponsoring companies by industryn 46 organizations; 8 countries (combined)4%4%2%Financial services20%Public sector4%Health & pharma7%Energy & utilitiesManufacturingConsumer ducation9%13%Aerospace2This benchmark community consisted of 1,613 organizations at the time of this study.The earlier study’s U.S. results are combined with the current results from seven additional countries. Fortythree trials for U.S. organizations were conducted in July 2014. The additional 114 trials were conducted inseven countries from mid-January through early April 2016.4In most cases, participating companies used experimental results as part of training and awareness efforts.3Ponemon Institute Research ReportPage 2
Figure 2 shows 11 functional areas that provided the venues for this study. The largest functional areaswere customer services and data center operations.Figure 2. Distribution of experimental trials by office functionn 157 trials; 8 countries (combined)4%4% 1%4%Customer services23%Data center operations6%Accounting & financeSales management8%CommunicationsHuman resourcesIT help desk6%R&D19%LegalLogistics12%Quality assurance13%Figure 3 summarizes the headcount of employees who were located in the business office where the visualhacking experiment took place. Sixty-five percent of trials were conducted in local offices with 50 or moreemployees.Figure 3. Distribution of experimental trials by office headcountn 157 trials; 8 countries (combined)10%13%Less than 2521%25 to 5022%51 to 7576 to 100More than 10034%The researcher (a.k.a. visual hacker) was permitted to enter work areas and observe possible informationleaks viewed from unprotected paper documents, computer screens (terminals, desktops and laptops) andother mobile devices. While the researcher was a passive observer, she or he was permitted to handleactual documents residing in open spaces on copiers, printers and fax machines. The researcher was notpermitted to capture images by camera or scanning technologies.Ponemon Institute Research ReportPage 3
With the aid of a company liaison, the researcher posed as a temporary office worker or consultant with atemporary identity credential to enter and exit normal spaces, including locations where electronic5equipment resided. With the exception of the company liaison, office workers in each location were not toldin advance about the study and were only given minimal information about the role and function of thetemporary worker or consultant.The experiment required the researcher to record the type of potentially sensitive or confidential informationobserved during one two-hour session at each location. To preserve confidentiality, the actual informationobserved by the researcher was not revealed in the record inventory. Following are the different types of6information that could be recorded by the researcher: Personally identifiable informationInformation about customers or consumersInformation about employeesGeneral business correspondenceAccess and login information/credentialsConfidential or classified documentsAttorney-client privileged documentsFinancial, accounting and budgeting informationDesign documents, presentations and architectural renderingsPhotos and videos containing business informationTraining materialsAt the conclusion of each trial, the company’s liaison introduced the researcher to office workers in theimmediate office space where the experiment was conducted. These office workers were asked to completea debriefing survey to assess their perceptions and level of awareness about the experiment.About the experimentThis study involved one researcher assuming the role of a visual hacker. The researcher wore a temporarysecurity badge. The researcher was also assigned desk space and provided Internet connectivity throughthe visitor’s network. In most cases, the company liaison introduced the researcher as a temporary or parttime worker to office workers in adjacent or nearby desks. The researcher performed the following threetasks in full view of fellow office workers:Task 1: The first task required a relatively inconspicuous office walk-through to scout for information in fullview on desks, screens and other indiscrete locations. This office walk-through procedure required theresearcher to maintain a log of information types directly observable.Task 2: The second task required the researcher to grab a stack of business documents labeled as“confidential” off a nearby vacant table or desk and quickly put these documents in a briefcase. By design,this task was completed in full view of office workers.Task 3: The third and final task was the most conspicuous to office workers. Here, the researcher used hisor her smartphone’s digital camera to take pictures of what appeared to be business confidential informationon the computer screen or terminal.Debrief: At the conclusion of all three tasks, the company liaison and researcher conducted a debriefingsession with office workers located in the area of the experiment to determine their perceptions and level ofawareness about visual hacking. Did these office workers recognize this as a suspicious event or incident? Ifso, what actions did they take or fail to take to stop it? In most cases, this debriefing session was conductedon the same day as the experiment.5The company liaison was a supervisor or manager located in each office where the experiment wasconducted. Approximately two weeks before the experiment, this individual was given explicit instruction bythe researcher on the purpose of the research and the need for secrecy.6The researcher was instructed not to perform extraordinary tasks to observe documents or displayed data.Hence, the researcher relied solely upon casual observation to record information types.Ponemon Institute Research ReportPage 4
Part 3. Key FindingsFigure 4 provides the time distribution for the completion of 157 experimental trials. As can be seen, 38(2 8 28) percent of trials (not including debriefing) were completed in less than two hours.Figure 4. Histogram on the minutes to complete three experimental tasksn 157 trials; 8 countries %0% 6061 to 9091 to 120121 to 150151 to 180 1807Figure 5 shows the average minutes to complete all tasks by country. The average total time to complete allthree experimental tasks was 131 minutes (not including the debriefing session). Trials conducted inGermany had the lowest time to complete all experimental tasks. In contrast, trials conducted in France andKorea had the highest time to complete.Figure 5. Average minutes to complete three experimental tasks by countryGlobal average (baseline) 131 minutesn 157 0200FRSKINUKCHUSJPDEGlobalaverage7Following are the abbreviations used to identify country samples: CH China, DE Germany, FR France,IN India, JP Japan, SK Korea, UK United Kingdom, and US United States.Ponemon Institute Research ReportPage 5
A total of 613 instances of visually hacked information occurred in 157 experimental trials (an average of 3.9instances per trial).Table 2: Frequency of breached data types for 157 experimental trials (613 pieces of data)Information typesSKUSUKCHJPDEFRAccess and login information/credentials91987647969Attorney-client privileged documents1320101210Confidential or classified documents512521159401429116771019103Design documents or architectural renderings31033101223Financial, accounting and budgeting information517332131549General business correspondence216721541148Information about customers or consumers202171246823101Information about employees11161286351475Photos and videos containing business ing materials2463434834801687150363453121613Contact list and directoryTotal number of breached data typesINTotalFigure 6 provides the percentage frequency of information types visually hacked in this study. Theinformation type most frequently hacked contained contact lists and directories (including employeedirectories). At two percent, attorney-client privileged information was the least likely to be visually hacked inthis experiment.Figure 6. Percentage frequency of information types visually hackedn 613 pieces of data; 8 countries (combined)Contact list and directory17%Information about customers or consumers16%Information about employees12%Login credentials11%Financial, accounting and budgeting information8%General business correspondence8%Confidential or classified documents7%Training materials6%Photos and videos containing business 6%Presentations4%Design documents or architectural renderings4%Attorney-client privileged documents2%0%Ponemon Institute Research Report2%4%6%8% 10% 12% 14% 16% 18%Page 6
Figure 7 summarizes the distribution of 613 visual privacy breaches for the eight-country sample. For 43trials conducted in the U.S., the visual hacker was able to view 168 separate pieces of data (i.e., visualprivacy breaches). Similarly, for 10 trials conducted in Germany, the visual hacker was able to view 34pieces of data.Figure 7. Frequency of breached data types, by country (not weighted)n 613 pieces of USINSKUKFRCHAs can be seen in Figure 8, the average number of visually breached data types varies considerably, from alow of 2.0 in Germany to a high of 5.5 in India. The global average was 3.9.Figure 8. Average number of visually breached data types, by countryGlobal average (baseline) 3.9 breached data typesWeighted by the number of 00.0INFRCHPonemon Institute Research ReportSKUSUKJPDEGlobalaveragePage 7
Figure 9 reports the frequency distribution for the number of breached data types observed by the visual8hacker for all 157 experimental trials. As reported, 14 trials (or 9 percent) did not experience a visual hack.In other words, 91 percent of experimental trials experienced at least one instance of visual hacking. A totalof 18 of 157 trials experienced more than six information types observed by the researcher.Figure 9. Histogram of information types capturedn 157; 8 countries 12345678910Figure 10 shows significant variation among functional areas. Experimental trials conducted in customerservices had the most information types visually hacked. In contrast, legal had the least number ofinformation types visually hacked.Figure 10. Average number of information types visually hacked by functional arean 157 trials; 8 countries (combined)Customer services5.5Sales management5.1Communications4.6Accounting & finance3.3Human resources3.3Data center operations3.2IT help desk3.1Logistics2.3R&D2.3Quality assurance2.3Legal1.3-1.02.03.04.05.06.08Of the five experimental trials that did not experience any visual hack, three involved office locations of onedefense and aerospace company. The remaining two involved an education/research organization.Ponemon Institute Research ReportPage 8
The next chart shows the average number of visual data breaches by the approximate headcount ofparticipating business offices. As noted in Figure 11, smaller-sized offices with 25 to 50 employees had thelowest number of visually hacked data types (at 3.4). Offices with 76 to 100 employees had the highestnumber of hacks (at 4.6).Figure 11. Average number of visually breached data types by office headcountn 157 trials; 8 countries (combined)5.04.64.34.54.03.93.93.53.4Less than 2525 to 503.53.02.52.01.51.00.50.051 to 7576 to 100More than 100 Overall averageEmployee headcount in local officesFigure 12 summarizes the location where sensitive or confidential information was observed by theresearcher. As shown, 49 percent of all visual hacks involved documents visible on employees’ desks.Another 28 percent of visual hacks involved information gleaned from unprotected desktops, laptops, tabletsand other mobile devices.Figure 12. Where the visual hacking occurred for all information typesn 613 pieces of data; 8 countries (combined)3%9%11%Employee deskUnprotected screen49%Printer binCopierOther28%Ponemon Institute Research ReportPage 9
The following figure shows the location of the visual hack by country. At 57 percent, China had the highestpercentage frequency for employee desk. At 37 percent, Korea had the highest-percentage frequency forunprotected computer screen.Figure 13. Where visual hacking took place by countryn 613 pieces of %US51%SK23%44%JP41%DE40%0%10%20%Employee desk50%Unprotected screen9%60%70%Printer bin0%4%5%8% 2%11%9%80%90%Copier2%7% 3%13%35%40%8%9%36%30%13%12%37%7% 2%5%100%OtherOf all 613 pieces of visually breached data, 168 pieces (27 percent) were designated sensitive informationassets. In short, this information was deemed to be sensitive because of the potential security risk to theorganization in the aftermath of a data breach incident.Figure 14. Proportion of high sensitive informationn 613 pieces of data; 8 countries (combined)27%Sensitive informationOrdinary business information73%Ponemon Institute Research ReportPage 10
Figure 15 shows the percentage of visually breached sensitive data for eight countries. Eighteen percent ofGerman trials resulted in the breach of sensitive data. In comparison, 30 percent of French and U.S. trialsresulted in the breach of sensitive data.Figure 15. Percentage of visually breached sensitive data, by countryGlobal average (baseline) 27%n 613 pieces of %0%FRUSINJPUKSKCHDEGlobalaverageFigure 16 shows four sensitive data types visually hacked in our experiment by country sample. As shown,login credentials to access corporate systems or mobile-connected devices represented the largest sensitivedata category for all countries. In contrast, attorney-client privileged documents represented the smallestsensitive data category.Figure 16. Sensitive data types by countryn 613 pieces of %5%3%3%Attorney-client privilegeddocumentsConfidential or classifieddocuments6%Financial, accounting andbudgeting information12%7%2%10%Login credentials4%7%2%13%6%7%17%IN6%15%Ponemon Institute Research Report10%9%20%6%25%30%35%Page 11
Figure 17 shows the approximate location where the hack occurred during our experiment. Fifty-two percentof sensitive data was captured by observing unprotected computer screens. In comparison, only 28 percentof all breached data occurred by observing computer screens. Forty-nine percent of all data was captured byobserving documents on a vacant desk. Only 30 percent of sensitive data was observed from documents onemployee desks.Figure 17. Where visual hacking took place: A comparison of high value vs. overall breached datan1 613 pieces of data, n2 168 pieces of sensitive information; 8 countries %2%0%Employee deskUnprotectedscreenPrinter binWhere the visual hacking took placeCopierOtherWhere sensitive information was hackedFigure 18 shows country differences in the amount of sensitive information captured from unprotectedscreens such as laptops, desktops, tablets and smartphones. The pattern of country-level results suggestKorean respondents are most likely to experience the leakage of sensitive information from unprotectedscreens. Overall, 52 percent of sensitive data leakage occurred from unprotected screens.Figure 18. Percentage of sensitive information visually hacked from unprotected screens by 0%20%10%0%SKCHINPonemon Institute Research ReportFRUSUKJPDEGlobalaveragePage 12
Figure 19 reports that 49 percent of all trials experienced the first visual hack within 15 minutes of thesession. Another 17 percent experienced the first visual hack within 15 to 30 minutes. As previously noted, 9percent withstood a visual hack.Figure 19. Elapsed time to complete first visual hackn 157 trials; 8 countries (combined)None detected9%91 to 120 minutes3%61 to 90 minutes9%31 to 60 minutes13%15 to 30 minutes17%Less than 15 minutes49%0%10%20%30%40%50%60%Figure 20 reports the percentage of all trials by country that experienced the first visual hack in first 15minutes of the session. At 36 percent, Germany experienced the lowest rate of successful hacks within thefirst 15 minutes of the experiment. At 68 percent, India experienced the highest rate of successful hacksduring the first 15 minutes.Figure 20. Percentage of trials where first visual hack occurred within 15 minutes, by countryGlobal average (baseline) 49%n 157 SKDE30%20%10%0%INFRCHPonemon Institute Research ReportUKUSGlobalaveragePage 13
According to Figure 21, the hacker was unable to visually hack the company in only 14 cases. None of theexperimental trials conducted in India and Korea were hack-free.Figure 21. Number of trials that were not visually hacked by countryn 157 llAs shown in Figure 22, 91 percent of visual hacking attempts were successful – detecting no visual hacks inonly 9 percent of all cases. At 82 percent, China had the lowest success rate.Figure 22. Visual hacking success rate by countryn 157 0%20%0%INSKJPFRUSDEUKCHGlobalaverageSuccess rate number of trials where visual hack was successful divided by total trialsPonemon Institute Research ReportPage 14
Figure 23 shows that in 107 experimental trials (68 percent), office workers did not confront the researcher.In 50 (30 12 8) trials, the researcher experienced some queries or pushback by some office workers atdifferent points in the session. In only three cases did an office worker contact the office supervisor ormanager (liaison) about a possible insider threat.Figure 23. Did office workers confront the visual hacker?n 157 trials12010710080604030201280During task 1During task 2During task 3Not confrontedFigure 24 shows the percentage of trials where the visual hacker was not confronted by office workers. For59 percent of trials conducted in Germany, there was no confrontation between office workers and the visualhacker. In other words, for 41 percent of German trials, there was some interaction between office workersand the hacker. In contrast, for 80 percent of trials conducted in France, there was no interaction.Figure 24. Percentage of trials where the visual hacker was not confronted by countryGlobal average (baseline) 68%n 157 0%40%30%20%10%0%FRINUSPonemon Institute Research ReportJPSKCHGlobalaveragePage 15
Figure 25 suggests a relationship between visual privacy breaches and the layout of the office involved inthe experimental trial. Open layout refers to a design that does not separate office workers. All walls orcubicles are removed. A total of 65 trials (41 percent) were conduced in an open layout and 92 trials (59percent) in a traditional office layout. In the trials conducted in an open office layout, the average number ofvisual privacy breaches was 4.5. For trials conducted in a traditional office layout, the average number was3.2. Hence, the open layout appears to have increased the ability of the visual hacker to observe and obtaincompany-specific information.Figure 25. Average number of visual privacy breaches by office layoutn 157 trials5.04.54.54.03.23.53.02.52.01.51.00.5Open office layoutTraditional office layoutFigure 26 reports the average number of visual privacy breaches for organizations that deploy each one offour common control practices versus organizations that do not deploy these controls. Companies thatdeploy workplace monitoring averaged 3.2 breaches versus 4.6 breaches for companies that do not deploythis control. Similarly, companies that have a privacy or data protection training and awareness program foremployees averaged 3.3 breaches as compared to 4.5 breaches for companies that do not provide trainingfor employees.Figure 26. Companies with sound control practices experience fewer visual privacy breachesn 157 trials; 8 countries .52.01.51.00.5Training & awareness Workplace monitoring &programsurveillanceControl practice is deployedPonemon Institute Research ReportClean desk policyStandardized documentshredding processControl practice is not deployedPage 16
Figure 27 shows the percentage difference in the average number of visual privacy breaches for companiesthat deploy each one of four control practices versus organizations that do not deploy these practices. Forinstance, companies that deploy workplace monitoring and surveillance experienced 35 percent fewer visualdata breaches than companies that do not monitor employees. Companies that train employees on privacyand data protection had 31 percent fewer visual data breaches than companies that do not conduct privacyor data protection training.Figure 27. Percentage difference between companies that deploy or not deploy four controlpracticesn 157 trials; 8 countries ining & awareness Workplace monitoring &programsurveillancePonemon Institute Research ReportClean desk policyStandardized documentshredding processPage 17
Part 5. LimitationsThere are inherent limitations to experimental research that need to be carefully considered before drawinginferences from the findings presented here. The following items are specific limitations that are germane tomost field-based experimental studies.Findings are based on a voluntary sample of 46 participating companies and 157 unique office locations ineight countries. Invitations were sent to a representative sample of individuals in a variety of functionalareas. We acknowledge it is possible that companies who did not participate are substantially different interms of their preparedness for visual hacking incidents.The accuracy of experimental results is dependent upon the researcher’s ability to create situations thatrepresent the underlying phenomenon of interest. The degree to which our experiment did not capture avisual hack could not be measured.The quality of experimental research is based on the integrity of confidential responses received fromsubjects. While certain checks and balances were incorporated into our research design process includingsanity checks, there is always the possibility that some trials did not reveal accurate results.A final limitation of this study concerns the incl
Part 2. Experimental Methods 1See: Visual Hacking Experimental Study, conducted by Ponemon Institute and sponsored by 3M, February 2015. The 2016 study at a glance Visual hacking is a global problem. Visual hacking occurred in all countries and 91 percent of 157 visual hacking attempts (trials) were successful.
Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking
Feb 23, 2012 · STORYTELLING WORKSHOP. VISUAL DESIGN HACKING One Goal: To equip you with simple and actionable techniques to kick ass at visual design. VISUAL DESIGN HACKING VISUAL DESIGN IS AN EXTREMELY VALUABLE SKILL. IT GOES A LONG WAY. VISUAL DESIGN HACKING
Chapter 7 Passwords In This Chapter Identifying password vulnerabilities Examining password-hacking tools and techniques Hacking operating system passwords Hacking password-protected files Protecting your systems from password hacking P assword hacking is one of the easiest and most common ways attack-ers obtain unauthorized network, computer, or application access.
Hacking The Wild: Desert Island Castaway Survival Series Marathon Hacking The Wild: Escape from Death Valley Hacking The Wild: Deadly Glacier Hacking The Wild: Alaskan Ice Forest Hacking The Wild: Black Bayou, The Hacking The Wild: Desert Island Castaway
Hacking Opportunities 49 Summary 49 Chapter 3 Hacking LEGO I: Connections 51 Mindstorms Wires Explained 51 Inside the Mindstorms Wire 52 Hacking Mindstorms Wires 53 Exploring Wireless Options 56 Infrared Sensor and Beacon 56 Bluetooth 57 Hacking Wireless 58 Summary 62 Chapter 4 Project: Remote-Controlled Crane 63 Parts List 64 Building the Crane 65
CEHv11 Change Summary 1. The Module 18: IoT and OT Hacking is a completely modified module in CEHv11 which inclues OT hacking (OT concepts, attacks, hacking methodology, hacking tools, and countermeasures) 2. The Module 19: Cloud Computing is a completely modified module in CEHv11 which
to as “ethical hacking”—hacking for an ethical reason—whereby it will be argued that law and policy ought not to be the same here as for those hacking activities that are purely for economic gain or to cause harm or mischief. As will be seen, I have grouped ethical hacking int
Ethics of Ethical Hacking Security professionals should understand where ethical hacking fits in information security,proper use of hacking tools,different types of hacking techniques,and the ethics that surround all of these issues.This chapter will cover the foll
Benefits of Ethical Hacking Topic 1: Ethical Hacking Discuss the main benefits and risks of ethical hacking. Provide examples and/or details to support your ideas. If you have seen examples of ethical hacking, please share thes
hacking .the main reason behind password hacking is a weak password. The people mostly select numbers as their password which is easily hacked and don‘t provide strong protection against password hacking. In this research discuss methods of password hacking and also provide a various so
Computer Hacking: This is the process of stealing computer ID and password by applying hacking methods and getting unauthorized access to a computer system. Advantages of Hacking Hacking is quite useful in the following scenarios: To recover lost information, especially in case you lost your password.
and, of course, hacking. However, even the hacking books seem to vary in con-tent and subject matter. some books focus on using tools but do not discuss how these tools fit together. other books focus on hacking a particular subject but lack the broad picture. this book is intended to address these issues. it is meant to be a single starting
HACKING FAQS Here is a small list of some of the frequently asked questions about hacking: How long does it take to become a hacker? Hacking is not something that can be mastered overnight. It really takes quite some time to understand and implement the skills that actually put you in the hacker’s shoes.
SEC561 Immersive Hands-On Hacking Techniques SEC573 Python for Penetration Testers- GPYC SEC575 Mobile Device Security and Ethical Hacking - GMOB SEC617 Wireless Ethical Hacking, Penetration Testing, and Defences - GAWN Penetration Testing an Etical Hacing SEC642 Advanced Web App Penetration Testing and Ethical Hacking
research will define ethical hacking, current information security trends, offer pedagogical methods, an overview of information security instruction, and lastly, best practices in the field are examined. Keywords: Ethical hacking education, information security instruction, ethical hacking pedagogy. 1. INTRODUCTION
Ways to get hacking experience & get your 5 name out there Writing articles, tutorials or making videos about hacking helps you learn more, make new connections and get recognised in ethical hacking communities. Contribute to the community In bug bount
differ from Ethical Hacking moving further with its kinds and the crime it falls under and also the category of evidence and the procedure for admitting the evidence under the Court of Law. HACKING AND ITS TYPES “Hacking’ means unauthorised a
Keywords— Ethical hacking, hacking, hackers, education and training, risk management, automated security. I. INTRODUCTION . Ethical hacking technology is spreading to diversified fieldsof the life and especially to all walks of computer industry; the need to protect the important data
Hacking is the most exhilarating game on the planet. But it stops being fun when you end up in a cell with a roommate named "Spike." But hacking doesn't have to mean breaking laws. In this series of Guides we teach safe hacking so that you don't have to k
Update to reflect user’s comments Version 2 1.3.16 Hugo den Boogert UEQ31 Update to reflect new developments and user’s comments Version 0 1.10.2018 Habsi, Haitham UEQ32 Revised entirely to SP (previously, it was PR-1708) iii Related Business Processes Code Business Process (EPBM 4.0) iv Related Corporate Management Frame Work (CMF) Documents The related CMF Documents can be retrieved from .