Insiders can use whistleblowing tools to steal data without a trail

The tools exist to by-pass many data leakage programmes and facilitate mass exfiltration of data, so enable internal whistelblowing - to avoid external access says Edward Parsons.

Insiders can use whistleblowing tools to steal data without a trail
Insiders can use whistleblowing tools to steal data without a trail

Whistleblowing has had its fair share of the limelight over recent months. We've heard from the former undercover officer, Peter Francis, with allegations that police tried to smear the family and friends of Stephen Lawrence,  and yet more from Edward Snowden, the former US intelligence employee who leaked classified documents revealing US internet and phone surveillance. Though whistleblowing isn't new, the way it's being done is changing.

Businesses have long identified the potential for employees or subcontractors, particularly those with privileged access to systems or sensitive data, to abuse that privilege and cause financial and reputational damage to their companies. In the information security industry, the insider threat has become synonymous with sabotage, understandably given the high-profile historic examples of sabotage attacks on a range of financial institutions. Individuals who have demonstrated the capability of well-placed insiders to disclose unprecedented amounts of information, have also shown how they can co-operate with media agencies to achieve maximum exposure. Snowden, for example, used his position as a systems administrator contracted to the US Central Intelligence Agency (CIA) to collate and steal an alleged 1.7 million classified documents.

The Snowden debacle has re-defined the insider threat in a new light. One of the most interesting developments in the trend towards bulk data disclosure is the efforts of the journalistic community, investigative journalists in particular, to facilitate disclosure through close co-operation with ‘whistleblowers'. Such efforts are consistent with the media's vital role in holding governments and corporates to account, by investigating and reporting matters in the public interest. Undoubtedly, their efforts help to promote free speech in places where this right cannot be taken for granted.

With journalists faced with the prospect of interrogating previously unfathomable amounts of (often unstructured) data from the most sensitive sources, it is unsurprising the community has developed tools deliberately intended to help whistleblowers leak bulk data sets whilst evading detection. These tools become increasingly important as organisations gradually improve their security, for example by implementing data loss prevention (DLP) solutions. Ultimately, the recent development of open source software such as OnionShare and the Guardian's SecureDrop, specifically designed to help whistleblowers leak information and avoid common forms of online surveillance, could pose a risk to businesses. OnionShare, for example, allows users to securely and anonymously share files of any size, using the TOR (The Onion Router) network. These tools can be readily deployed by insiders to facilitate data leakage as a form of protest or, in the case of OnionShare, for more nefarious purposes, including crime and espionage. So how do businesses mitigate these risks?

Transparency and trust have never been higher on the corporate agenda and businesses should ensure they have internal whistleblowing mechanisms that allow staff with genuine issues to have them addressed internally, so they don't feel the need to leak data externally. Businesses and employers will likely disagree about whether it is in the public interest to leak sensitive commercial data, but if companies don't offer appropriate whistleblowing systems, staff may be tempted to go elsewhere. We are in an age where misdemeanours are easy to leak and harder to mitigate.

The danger is that cyber criminals, and even nation states, will have access to the same tools to get hold of commercially sensitive information. Businesses therefore need to be aware of emerging whistleblowing tools and consider how such developments and capabilities change their threat landscape. Thus, technical and administrative controls should be calibrated to the threats the businesses face.

Contributed by Edward Parsons, senior manager in KPMG's cyber security team