We are proud to be a company that implements an Information Security Management System compliant with ISO 27001:2013. As a result we have many policies and procedures in place to increase the security of our environment, and advise our clients to follow the same best practice.
It can be difficult to balance system security and system usability, which is why in practice some of the simpler tasks are not actioned. For example, I have found that getting users into the habit of locking their computer (pressing just two keys on a windows machine) every time they leave their machine unattended is a lot easier in theory than in practice.
“I was only going away for a minute, nothing could have been done to my machine.”
“Someone would have seen my keyboard and mouse being used and stopped it.”
The general view was that the risk or threat is not significant enough to warrant the act of locking your machine each and every time you moved away from your desk. There was always enough people about to mitigate the risk of one or two of them having malicious intent. Over the years, I’ve regularly come across this attitude and it often sparks a debate on the necessity.
For me it is a big concern. Some users have access to every file in their company, credentials for corporate social media accounts saved in their web browsers and sensitive email conversations with colleagues and clients. With all of this information, and more, being left unattended on a regular basis the potential damage at the lower scale could be very embarrassing for a company, and at its most extreme could be enough to force a company to shut down.
Ease of the attack
Despite the common misconception, it is extremely easy for someone to quickly carry out malicious activity on an unlocked computer and they don’t have to start tapping away on the keyboard either. Teensy and other similar products are cheap, widely available and with a bit of technical knowhow, can be programed to act as any USB peripheral to carry out actions when connected to a machine. Essentially, one could program the device to behave as a keyboard, which would mean any computer it is connected to would be tricked in to thinking that a keyboard had being plugged in. It could also be programmed to automatically type commands once it had detected an established connection. These commands could install a back door to provide remote access at a later date, upload files and mailboxes to a remote server or scour the machine for saved credentials and then upload the database to a remote server. The number of different activities is limited only by the goal and imagination of the malicious actor.
These devices will input characters faster than any human is able to type, so a malicious actor would only need access to a machine for a matter of seconds. They would not necessarily stand out as they would not be typing on a keyboard or moving a mouse. Worst of all, in the above example of Teensy being used, because it is pretending to be a keyboard it would bypass the majority of endpoint protection implementations.
This ties in with a well-known issue of IT security. You can implement security measures such as endpoint protection to keep the infrastructure safe, but if users lack security training, and do not lock their machines or check URLs before clicking on them, then they start to become ineffective.
Yes it can be a slight pain to lock your machine every time you leave it, but there is a real business risk by not locking it and as I have hopefully explained, conducting the attack can be relatively covert and extremely quick. After making a conscious effort to follow the best practice of locking your machine, it will soon enough become second nature and you won’t even have to think about it.
– There are many different ways to lock your computer, I found the quickest way on a Windows machine is to press the Windows key and the L key together.
– Setting computers to automatically lock after a certain period of inactivity e.g. 5-10 minutes will also help to mitigate the risk.
Priority One – London IT Security