search menu icon-carat-right cmu-wordmark

Data Exfiltration and Output Devices - An Overlooked Threat

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hi, this is George Silowash and recently, I had the opportunity to review our insider threat database looking for a different type of insider threat to the enterprise...paper. Yes, paper. In particular, printouts and devices that allow for extraction of digital information to paper or the management of paper documents. This area is often overlooked in enterprise risk assessments and I thought I would share some information regarding this type of attack.

Our database of over 500 cases contains the following types of cases in which a scanner, copier, printer, or FAX machine were used as part of the insider's attack:

Device Used
Number of Incidents
Copier 1
Fax 3
Printer 30
Scanner 2

It should be noted that our database contains one instance in which a copier, FAX, and printer were all used in the same attack. More on that later.

Technology in the workplace enables employees to efficiently do their jobs and accomplish the mission of the organization. It is often these technologies that also enable malicious insiders to cause harm to the organization. Management, Information Security, and Information Technology support teams must work to secure both the physical and virtual environments. This typically entails implementing physical protections for servers, workstations, and mobile devices while Access Control Lists (ACLs) restrict access to data. Often times other devices are overlooked and left with little to no protection.

These devices should be included in organizational risk assessments:

  • printers
  • scanners
  • FAX machines
  • copiers

Printers can allow a malicious insider to extract sensitive company documents and remove the documents from the organization to share with competitors or even start their own business.

  • In one case, the insider was a disgruntled scientist at a technology component manufacturer. The insider exfiltrated research documents using his access privileges. He downloaded the documents onto his laptop, sent them to his email account, and physically carried the document printouts out of the workplace. He also mailed some of the research documents to the component manufacturer's competitors. The total losses were estimated to be about $3 million. The insider was sentenced to five years probation, fined over $7000, and ordered to perform 200 hours of community service.
  • In another case, the insider worked with a conspirator to sell physical blueprints and trade secrets to a competitor organization. Although potential losses were estimated to be between $50 million and $100 million, the victim organization was able to prevent the information from being used by the competitor. The insider was sentenced to prison and fined $20,000.

Organizations should carefully monitor printer activity and retain logs of printed documents. These logs should be audited as part of an organization's continuous log monitoring program. Personnel should be alerted when anomalies occur, such as printing before or after business hours or printing an unusually high number of documents for that particular user.

Companies must also ensure that hardcopy documents are properly disposed of when they are no longer needed. Documents containing proprietary information must be destroyed by those who are authorized to do so. Organizations should consider who has access to hardcopy documents during the document's lifecycle. The CERT database has cases where janitors took documents containing personally identifiable information (PII) or other sensitive information from the organization. If the documents had been properly managed and disposed of, the risk of malicious insider activity may have decreased.

Scanners also pose a threat to organizations. Documents that are not in digital form or are not accessible in electronic form due to access restrictions can be scanned by a user who has authorized access to a scanner.

  • In one case, an insider was contracted by a telecommunications company to scan physical trade secret documents into digital form. After scanning the documents, the insider stole some of the electronic files and posted them on a hacking website. The total potential damages were estimated to be $25 million while the insider was ordered to repay over $145,000 in restitution.
  • An insider was employed by a document imaging company. The imaging company was a trusted business partner of a university. The insider stole 1,700 student transcripts containing the students' PII while digitally archiving them for the university. The insider was never identified, and the monetary impact of the incident was never fully understood.

Companies need to provide commensurate levels of protection to printed documents as they do for digital files. People receiving printouts must have a valid need to know and permission to have access to these hard copies. In the above cases, trusted business partners had access to physical documents to perform a contractual obligation. Contracts with trusted business partners need to stipulate the need for thorough background investigations. In addition, if company sensitive documents are being scanned, a company representative should monitor the process to ensure that the contractor is not mishandling company information.

FAX machines are an older technology that continues to exist in many organizations. These devices can be used by an insider to send documents out of the organization, often without being detected. .

  • Insiders were employed by a financial institution and used the institution's computer systems to access PII of 68 customers, including the customers' credit card numbers. They then faxed this information outside of their organization to their accomplices. In total, almost $600,000 was stolen through the fraudulent activity. The insider was sentenced to over one year imprisonment, two years of supervised release, participate in a drug/alcohol program and repay over $99,500 in restitution.
  • In another case the insider was a disgruntled engineer for a product manufacturing company. Fearing his job was in jeopardy, he sent technical drawings to a competitor organization via fax and email. The damage to the victim organization was estimated to be roughly $1.5 million. The insider was sentenced to over two years in prison and ordered to repay $1.3 million in restitution.

In the above examples, the insiders were able to FAX documents to accomplices or competitors. One solution to reduce this threat is to limit access to FAX machines whereby employees in the organization must submit their documents to another individual to review and transmit.

Copiers allow insiders to duplicate company documents without the worry of having to remove original documents from the organization, which could lead to faster detection.

  • The insider was employed as a mail room supervisor by the victim organization, which was a financial institution. While on site and during work hours, the insider opened the organization's mail and copied checks that customers had sent in for deposits. The insider sold the copies to an identity theft group, which used the valid account numbers to make fraudulent checks. The insider was arrested, but information regarding the monetary impact was unknown.

Access to copiers needs to be limited when company sensitive information is at stake. In the above example, the insider was able to copy customer checks for identity theft purposes. The insider's activities should have raised red flags when opened mail was delivered.

Finally, the malicious insider who used all of the methods that we have been discussing, worked as an administrative assistant to a top executive at the victim organization. As part of her job responsibilities, she had access to confidential trade secrets and other proprietary information. She was caught making copies of confidential documents and leaving with them from her workplace and attempting to sell them for money. She handed over some of the copies to buyers, as well as faxed some. The insider also printed out some of the executive's emails which contained confidential project information. The only monetary impact reported was $40,000 restitution ordered to be paid by the insider.

These cases highlight the need for organizations to be more vigilant about all technologies used in the organization. Scanners, copiers, printers, and FAX machines all have a place in an organization. However, incorporating them into enterprise risk assessments as well as polices that govern their use will help to identify and mitigate risks associated with their use.

Our team would like to hear what you are doing to counter this threat. If you have any questions or comments please email us using the feedback link.

About the Author