|
During Comdex 2003 in Las Vegas, Caleb Sima, (SPIdynamics), Tom Goodman (Bluefire Security Systems) and I presented and discussed PDA and cellular phone attacks and countermeasures. While some of the attacks described are real and others theoretical, every attendee left with a grim appreciation of how vulnerable the cellular infrastructure is. This was the first session I moderated in years where attendees paused before turning their cell phones on when the session concluded. |
During the Q&A session, I raised the issues of security and privacy policies for camera phones. Some attendees laughed, but many more grew serious. Camera phones create challenging security and privacy problems, and I'm convinced we will read about security incidents as well as suits claiming privacy violations and sexual harassment as organizations face these problems and identify remedies.
Is a Picture Worth a Thousand Downloads?
Organizations take great measures to protect sensitive data online. Most organizations have policies prohibiting visitors from accessing trusted (internal) networks. Under such policies, a visitor can't simply plug a laptop into the nearest Ethernet wall jack, enter an office and use an employee's computer, or scan for ESSIDs of and join a wireless LAN. Policies prohibit such actions, and IT departments deploy security measures to prevent these unauthorized activities. In all these cases, organizations have permitted a visitor physical access to a facility, but still take measures to control access to assets.
Do digital photographs your Human Resources department used to create company ID Cards fall into the "sensitive data" category? Should an organization be concerned when a visitor snaps headshots of (key) personnel? Do visitors have opportunities to photograph documents and activities they would not otherwise be able to access or observe? Would pictures of research laboratories and equipment therein aid competitors or industrial espionage agents in understanding how far your organization has progressed in developing a breakthrough and patentable technology? Could a competitor gain insight into operational and manufacturing efficiencies that provide you with a competitive advantage from discretely snapped photos? In any of these scenarios, would you permit a visitor to use a 35mm or digital/DVD camera? If the answer is no, shouldn't you consider a camera phone a risk as well?
Before you scoff and conclude such scenarios are for Ian Fleming and Robert Ludlum novels, consider the steady improvement in the quality of digital photographic over only a handful of years. Few organizations would permit a visitor to indiscriminately shoot photographs with a nineties-sized 35mm cameras or shoulder-sized VHS movie camera. But the improved quality, capacity, rapid miniaturization and commoditization of digital photography into cellular phones makes it decidedly difficult to discern whether a visitor is chatting or gathering information and intelligence in image formats. The threat is compounded by the fact that the communications network over which the visitor can deliver these images is entirely outside your control. For many organizations, camera phones pose a serious risk.
Do Black Patent Leather Shoes Really Reflect Up?
A 1982 Broadway musical based on Catholic elementary and high school education in the 1950's offered the suggestive premise that boys could see girls' unmentionables through the reflection off their highly polished shoes. Recently, several incidents in high schools in the U.S and Japan show that satisfying adolescent curiosity is greatly abetted by camera phone technology (think "crowded stairwells"). Now imagine the typical bullpen or cubicle design in many offices. The same adolescent behavior, left ungoverned by an acceptable use policy, will inevitably lead to some fool snapping candid shots of the office darling at her desk. The photos will invariably leak to the darling or someone who is embarrassed on her behalf, and the company is slammed with a sexual harassment suit. Is this a real-world scenario or the speculation of a security wonk hoping to instill FUD?
Camera Phone AUPs
Before you have your security guards X-Ray or handbag and body search visitors; before you ask the receptionist to cheerfully request that all visitor cell phones be placed in the secured storage reserved for this purpose; and before you offend high-ranking officials, business partners, and the wife of the Chairman of the Board, conduct a risk assessment to assess whether and where you need a camera phone prohibition policy. Does it apply to employees and visitors alike? To what locations and facilities should the policy apply? How will you make your policy known (especially to visitors)? Who will enforce the policy? How will you identify and keep them secure once you've separate them from visitors and employees? Can you identify an area(s) where (camera) phone use is acceptable? Will the policy apply to camera phones only or all cellular phones? If only camera phones, on whom will the responsibility to distinguish acceptable from unacceptable phones?
Overcoming Cultural Backlash
Many people feel being reachable via cell phone is essential. Cell phones are often treated as personal items, or company assets that contain sensitive information. Follow the "it's a duck" criteria: if it looks, waddles and quacks like a duck, it's a duck (or camera). Post, publish and carefully explain your policy, provide evidence that tampering and theft have been considered and the risks mitigated. Every security policy will have its proponents and opponents. Allow those extreme personalities who take offense and complain to do so, but insist on compliance or deny entry. The majority of your visitors and employees should be willing to make accommodations to assure their continued employment or perpetuate their business relationships with you.
Fast forward to 2008
Cell phone security policies now pose formidable problems for many organizations. Society is even more obsessed today with hyper-connectivity and "at a touch" information availability. Many organizations must still measure these needs against the even greater risks today's cell phones introduce. Cell phones and PDAs are now indistinguishable. Many handhelds not only take pictures but capture video as well. Storage capacities are suitable for full-length movies. Most support Internet mail and web, making it trivial for anyone to upload recorded or photographed activities and information over communications channels you cannot monitor. If you have a cell phone policy and haven't reviewed it recently, take another look.
