Cybersecurity

How Vacation Photos Can Lead to a Breach in Your Agency’s Cyber Framework


The Daily Mail provides stats that the average British vacation-goer takes 447 photos per vacation – including  127 landscape shots, 45 selfies, and 6 pictures of stray cats (as a cat lover, I approve). We can estimate that Britain’s U.S. counterparts take a similar number of pictures from their vacations and post these, often without a second thought, to their social media profiles and sites.

This deluge of images and posts on social media brings us to a critical point. Security in general, including infosec, starts at the physical layer. Below is an illustration of the Seven Layers of the OSI Model, note Physical is the base here as well. Sadly many, if not most, illustrations of the OSI Model neglect two of the more important layers, Budgetary and Political, but that is a story for another time.

EXIF and Check-ins

OSI ModelWhile many social sites like Facebook and Twitter strip metadata, called EXIF data, from photos posted to their sites, the only way to be sure that a site will not provide that location revealing EXIF data is to strip it out yourself before uploading. This may seem like table stakes, but there are very clever people who have been undone by EXIF, John McAfee being one of them.

Check-ins, for example on Yelp, Facebook, and other sites, can also reveal a user’s location and sometimes more. For example, if I check in to Carlsen Porsche, the closest Porsche dealer to our office in Mountain View, I reveal not only where I am but I also reveal something about myself, an affinity for expensive German cars. This, were it true, would probably mean that I have some money and at least one car that might be worth stealing.

Back to Vacations

So let’s say you go on vacation and let’s further suppose that you want to post pictures of said vacation on social media with photos of glorious meals and images of palm trees, perhaps with some tagline like “In Fiji aka in #Paradise.”

By checking in at that one place, you are at the very least revealing that you are there and by definition, not elsewhere…with elsewhere being places like home where that Porsche may be stashed away.

For government workers and contractors, posting vacation photos and check-ins on social media runs the additional risk of revealing that you’re also not in the office, where end-users have access to government data, networks, secrets, national security information, and potentially much more.

As the era of the insider threat continues to evolve, hackers are getting more clever and more patient when it comes to launching their attacks. Let’s say someone does have your credentials – your agency likely has some cyber solutions in place to send out alarms for off-time logins, like on a weekend, to an agency’s network. However, if you’re on vacation during the week, those same security systems are unlikely to set off any bells and whistles for a seemingly-certified login from your account on a regular weekday.

While not everyone is going to be an extremist type, if you’re concerned about the physical security of your home and the security of the information you, as a government professional, access on a daily basis, you may want to consider refraining from check-ins and any sort of revealing social post while you’re away. Burglaries of this nature have happened before.

Stay safe and don’t allow yourself or your organization to become a victim.

Interested in learning more about information security in the age of the insider threat? Join one of our Government Cloud and Security Executive Breakfast Seminars, sponsored by HyTrust, happening throughout October and November.

Related Articles