For those not familiar, steganography is an ancient information hiding technique that dates back to the days of Ancient Greece. In fact, steganography is derived from the Greek words “steganos” which means “covered” and “graphien,” meaning “writing.” Thus, steganography literally means “covered writing.”
The Egyptians are generally acknowledged to have been the first to use steganography in the form of hieroglyphics. However, one of the first recorded uses of steganography, and one of the most interesting, dates back to 480BC during the Battle of Thermopylae. When he learned of Xerxes plan to lead his army into Greece, Demaratus scraped the wax off his wax tablet, scribed a message directly on the wood, and then recovered the tablet with wax in order to get a message to Sparta past the Roman guards.
Fast-forward a couple thousand years and, even through the landscape has changed, practices of message-coding are still evident. This is especially relevant in the current internet-security era, where “digital steganography” practices include hiding a digital file by embedding it within, or appending it to, a carrier file. This carrier file is typically an innocent looking image that would not warrant suspicion that it may contain a hidden payload. Information can be hidden in, or appended to, any type of file to include text files, audio files, video files, etc.
While every business has assets that must be protected, the cyber security mechanisms to protect information assets are not as easily visualized. Regardless, management must exercise due diligence in implementing appropriate mechanisms to protect both physical and information assets as part of an overall enterprise risk management program. Physical security mechanisms have shape and substance—they can be seen and touched. Some cyber security mechanisms share this property. A firewall can be seen and touched as can other physical hardware platforms that might host other security appliances such as an IDS, IPS, or DLP systems.
Applications and data files on user’s computers are typically not visible to most network security applications. Unless the CM system is diligently maintained and used, or user workstations are “locked down,” or the enterprise employs some type of white listing system, there is a potentially significant threat from insiders downloading, installing, and using certain classes of software for malicious purposes.
Not knowing that insiders have tools to eavesdrop on network traffic, communicate overtly, but confidentially, through use of encryption, or communicate covertly through the use of a digital steganography application puts sensitive, and possibly classified information and valuable intellectual property at risk. Information could be easily exfiltrated through the most sophisticated boundary protection devices and will not be detected!
Not only are steganography applications easy to find, they are also easy to download, install, and use. Many of the applications offer a “drag and drop” interface or a “wizard” interface. It definitely doesn’t take a guru to use these applications. Even the most technically challenged insider can easily use the majority of steganography applications currently available as freeware or shareware on the Internet.
A recent Google search on “steganography” yielded over 2,000,000 results. Although insiders may not think of “steganography” if they want to hide information to exfiltrate it from the network, the words “information hiding” could easily come to mind. A recent Google search on “information hiding” yielded over 8,000,000 results … which would lead insiders to web sites where could learn about using steganography to steal information with no risk of being caught because.
With the exception of some advanced real-time network security monitoring products, the current generation of network appliances and Data Loss Prevention tools do not detect insiders downloading digital steganography applications.
In a time when the bad guys are using every possible tool to sneak into networks undetected, insider use of digital steganography to steal sensitive information is an emerging threat. Organizations need to know when their trusted insiders are downloading steganography applications, primarily because it is an early warning signal that said insider is planning to steal information.
The question is, do you have a Robert Langdon watching over your information?
For more information on protecting against digital steganography threats, take a look at the following webinar. Let us know what you think!
By: James E. Wingate, CISSP-ISSEP, CISM, CHP, CHSS