Kevin Beaver's Security Blog

Pros and cons of information hiding

I just read this good article on steganography and started thinking about the potential uses and misuses of this technology.

So, do you have a need to hide information on mobile systems/devices to keep prying eyes away in the event of theft or loss? Sounds like a good application for it. Although given the current state of mobile security [mostly nada] I can’t imagine too many people would go this far to protect mobile devices when they haven’t even done the basics.

Think about the other side of the equation: rogue employees doing bad things. What an empowering way for users to walk out with sensitive files…Even if they get caught they can rest assured that their misdeeds are likely going to go unnoticed/undetected with current ediscovery tools.

Yet another good thing to think about for your incident response plan and your ediscovery efforts. Lawyers: are you listening?

Also, this is a good reason to NOT give users local admin rights on their workstations. If they can’t install the software they can’t abuse the system. This may also be a good time to consider some Web-based content filtering to at least attempt to block people from browsing to these software download sites. It’s not foolproof but you can at least say that you had reasonable controls in place.