Steganography and the Insider Threat: Backbone Security Explains Why the IT Security Community Should Take Notice

Insider Threat Ranked #2 on List of 8 Hard Problems by INFOSEC Research Council

Fairmont, WV (PRWEB) April 25, 2013

Whether the insider threat or the external threat is more serious has been the subject of perennial discussion ever since the concept of threats to information systems emerged. And there is no end in sight.

The insider threat is a particularly intractable problem because there are so many ways insiders can steal information from an enterprise network. It is a very hard problem to solve. In fact, the insider threat problem is so hard, it is formally ranked #2 on the Hard Problem List, or HPL.

The HPL began as a study initiated in 1997 by members of the Information System Security (INFOSEC) Research Council. The idea was to compile a list of “the hardest and most critical challenges in INFOSEC research that must be addressed for the development and deployment of trustworthy systems for the U.S. Government.”

The original HPL (http://www.infosec-research.org/docs_public/IRC-HPL-as-released-990921.doc) was released in 1999; but, due to rapid evolution in both technology and threats, an updated HPL was released in November 2005 (http://www.infosec-research.org/docs_public/20051130-IRC-HPL-FINAL.pdf). Although eight years have passed and technology and threats have continued to evolve during that time, it is instructive to note the eight hard problems identified in the 2005 update remain the subject of intense research and development in the government and private sector.

Today, we are inundated with a nearly constant stream of news about external attackers and the damage they cause along with the information they steal. It is a situation conducive to becoming tone deaf, to some degree, to the constant barrage of news about cyber threats.

The cacophony of alarm bells regarding external threats is drowning out the more insidious insider threat.

Since the dawn of the Information Age, much has been written about the insider threat and the many ways insiders can steal information. As an indication of how much as been written, a Google search on “insider threat” will return nearly 90 million links.

One of the ways insiders can steal information is not getting much, if any attention. Insiders can use digital steganography to exfiltrate sensitive information such as intellectual property, trade secrets, personal financial information, personally identifiable information (PII), and protected health information (PHI).

Digital steganography is an Internet era version of an ancient information hiding technique that dates back to the days of Ancient Greece. Using digital steganography, a file can be embedded within, or appended to, another file in such a way that it cannot be seen or heard. Unlike cryptography, which translates information into an unintelligible sequence of letters and numbers, steganography conceals the very existence of the information.

Insiders have become acutely aware of the value of the information they work with on a day-to-day basis. As a result, insider theft of sensitive information is increasing at an alarming pace. Insiders can use any of the 1,500+ steganography applications available on the Internet as freeware or shareware to steal PII, PHI, or intellectual property, for example. The current generation of network security appliances and data loss prevention systems do not detect insider use of steganography.

The Steganography Analyzer Real-Time Scanner (StegAlyzerRTS) was developed in Backbone Security’s Steganography Analysis and Research Center (SARC) as a countermeasure to the threat from insiders using digital steganography to steal sensitive information. It is the world’s only commercially available network security appliance capable of detecting steganography in real-time.

The latest generation of StegAlyzerRTS is capable of operating on networks with throughput of up to 1 Gb/s and detects insiders downloading any of the 1,150 digital steganography applications currently in the SARC’s archives. Detecting an insider activity downloading a steganography application is an early warning indicator the insider is planning to steal sensitive information.

StegAlyzerRTS offers a “drop-in, turn-key” capability that will not affect network throughput. StegAlyzerRTS was found to be effective for identifying files associated with steganography applications and files that contain hidden steganographic data by the Defense Cyber Crime Institute (DCCI).