Posted on by Insider Threatin
Hi, this is George Silowash and recently, I had the opportunity to review our insider threat database looking for a different type of insider threat to the enterprise...paper. Yes, paper. In particular, printouts and devices that allow for extraction of digital information to paper or the management of paper documents. This area is often overlooked in enterprise risk assessments and I thought I would share some information regarding this type of attack.
Our database of over 500 cases contains the following types of cases in which a scanner, copier, printer, or FAX machine were used as part of the insider's attack:
|Device Used||Number of Incidents|
It should be noted that our database contains one instance in which a copier, FAX, and printer were all used in the same attack. More on that later.
Technology in the workplace enables employees to efficiently do their jobs and accomplish the mission of the organization. It is often these technologies that also enable malicious insiders to cause harm to the organization. Management, Information Security, and Information Technology support teams must work to secure both the physical and virtual environments. This typically entails implementing physical protections for servers, workstations, and mobile devices while Access Control Lists (ACLs) restrict access to data. Often times other devices are overlooked and left with little to no protection.
These devices should be included in organizational risk assessments:
Printers can allow a malicious insider to extract sensitive company documents and remove the documents from the organization to share with competitors or even start their own business.
Organizations should carefully monitor printer activity and retain logs of printed documents. These logs should be audited as part of an organization's continuous log monitoring program. Personnel should be alerted when anomalies occur, such as printing before or after business hours or printing an unusually high number of documents for that particular user.
Companies must also ensure that hardcopy documents are properly disposed of when they are no longer needed. Documents containing proprietary information must be destroyed by those who are authorized to do so. Organizations should consider who has access to hardcopy documents during the document's lifecycle. The CERT database has cases where janitors took documents containing personally identifiable information (PII) or other sensitive information from the organization. If the documents had been properly managed and disposed of, the risk of malicious insider activity may have decreased.
Scanners also pose a threat to organizations. Documents that are not in digital form or are not accessible in electronic form due to access restrictions can be scanned by a user who has authorized access to a scanner.
Companies need to provide commensurate levels of protection to printed documents as they do for digital files. People receiving printouts must have a valid need to know and permission to have access to these hard copies. In the above cases, trusted business partners had access to physical documents to perform a contractual obligation. Contracts with trusted business partners need to stipulate the need for thorough background investigations. In addition, if company sensitive documents are being scanned, a company representative should monitor the process to ensure that the contractor is not mishandling company information.
FAX machines are an older technology that continues to exist in many organizations. These devices can be used by an insider to send documents out of the organization, often without being detected. .
In the above examples, the insiders were able to FAX documents to accomplices or competitors. One solution to reduce this threat is to limit access to FAX machines whereby employees in the organization must submit their documents to another individual to review and transmit.
Copiers allow insiders to duplicate company documents without the worry of having to remove original documents from the organization, which could lead to faster detection.
Access to copiers needs to be limited when company sensitive information is at stake. In the above example, the insider was able to copy customer checks for identity theft purposes. The insider's activities should have raised red flags when opened mail was delivered.
Finally, the malicious insider who used all of the methods that we have been discussing, worked as an administrative assistant to a top executive at the victim organization. As part of her job responsibilities, she had access to confidential trade secrets and other proprietary information. She was caught making copies of confidential documents and leaving with them from her workplace and attempting to sell them for money. She handed over some of the copies to buyers, as well as faxed some. The insider also printed out some of the executive's emails which contained confidential project information. The only monetary impact reported was $40,000 restitution ordered to be paid by the insider.
These cases highlight the need for organizations to be more vigilant about all technologies used in the organization. Scanners, copiers, printers, and FAX machines all have a place in an organization. However, incorporating them into enterprise risk assessments as well as polices that govern their use will help to identify and mitigate risks associated with their use.
Our team would like to hear what you are doing to counter this threat. If you have any questions or comments please email us using the feedback link.
Visit the SEI Digital Library for other publications by .