When discussing insider threats and information protection solutions that can prevent a user from copying or downloading a file with customers, I’m often asked the question “how do you stop someone taking a photograph of their screen to steal the information?” If it sounds a little unlikely that an employee would use their phone to capture images of sensitive information for fraudulent purposes, the reality is that this isn’t as far-fetched as it sounds. Only a few weeks ago, five people were indicted on charges relating to aggravated identity theft and wire fraud. The method used to extract the stolen personally identifiable information (PII) – taking photographs of files from the computer screen of one of the defendants. This wasn’t a one-off opportunistic snap of a single file but instead was a systematic process of identity theft by a medical records technician working at a US Army base that took place over the course of several years.
How Malicious Users Can Circumvent Traditional Security
Why take the photographs instead of just stealing the files themselves? I assume that this was an attempt to leave either no, or as little, trace as possible. One of the indicted, Frederick Brown, had legitimate access to the sensitive information as part of his day job on a US Army base in South Korea. Downloading or sending the data would have made detection easier as repeated actions like that would more than likely leave a trail that would at some point cause an alert to be raised. On the other hand, taking photos and sharing the photos via a shared Dropbox account is very unlikely to raise any red flags.
This case illustrates why detecting a malicious insider is so difficult – they have legitimate access to data. How do you determine if the data is being used for a legitimate work task versus using it for a nefarious purpose?
The cybersecurity market has seen an uptick in the number of solutions that look to address suspicious activity by malicious insiders. Buzzwords like behavior analytics, UEBA and UBA tout the ability to detect when a user has done something suspicious. The issue that I see with solutions like this has nothing to do with their effectiveness in doing what they claim to do, but rather what they provide is a reactive and retrospect approach to insider data breaches. Simply stated they detect a problem after it has occurred. The more sensible approach is to be proactive – or stop the unwanted action before it occurs – to minimize the damage a malicious insider can do.
Using a Proactive Versus Reactive Approach to Insider Threats
A proactive approach ensures a level of protection is applied to the data during its entire life cycle. Even during scenarios when users need to freely collaborate in and around sensitive data there as options to ensure that information protection rules and regulations can be applied to ensure both the malicious and accidental breaches are minimized or eliminated.
One such approach is to use rights management software, often as part of a data loss prevention solution, that can control what a user can do with the data that they have access to. Can they make edits? Can they copy and paste it into another data file? Can they download a copy or email it to a third party? All of these actions can be turned off or on based on the conditions of the user or the nature of the data.
Sounds great right? But what about someone taking a photograph of their screen such as in the case of data theft from the US Army base?
Rights management solutions have been around for quite some time but it’s no secret that they cannot stop a determined malicious insider from using their mobile phone to capture sensitive information straight from their computer screen. It’s very likely that it may never be possible to stop someone taking the picture but there are now ways to discourage someone from doing so.
Using Digital Fingerprints to Deter Data Theft
Recent advances in data-centric protection offer capabilities to both make people think twice about what they do with company data, and, in the event of a breach, provide investigators with a virtual “fingerprint”.
One such capability is the evolution of watermarks. Instead of a “static” watermark that merely places words such as “confidential” into the background of a file it’s now possible to use “dynamic” content that is specific to the data and user. As an example, it’s possible to use the date, time and user’s name or email as the watermark.
Would this have stopped Frederick Brown and his fellow conspirators? Perhaps Mr Brown would have thought twice about taking an image of the data files where his “fingerprints” (i.e. his name, and date and time he took the incriminating pictures) were literally all over what has become some of the primary evidence for the prosecution. At the very least, the authorities would have had an easier job tying some of the pieces of their investigation together when they discovered the cache of images in the Dropbox folder.
When it comes to insider threats, preventing a breach from occurring in the first place provides far greater protection than trying to assess if a user’s behavior is suspect after the damage is done.