This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
While most of attention on stego is focused on nefarious behavior, there are some legitimate applications. They aren't being widely applied, but their use is growing.
The most obvious use is to protect intellectual property and trade secrets, for example, when executives are traveling abroad. It's good practice to assume that all communications—emails, phone and instant messaging— are being watched and analyzed at all times. If this sounds paranoid, consider the limited infrastructure in many countries that makes it feasible to monitor the relatively few ingress and egress points.
Even crypto isn't foolproof. For example, if an executive conducting negotiations sends a short message, this could indicate that his company received what they wanted—or maybe the deal is simply dead. However, if there are 50 encrypted messages back and forth, it probably means they are working on an alternative plan, or that negotiations have hit a snag.
In this kind of situation, stego is the perfect alternative, hiding sensitive information within innocuous communications. For example, our traveling executive could use stego to hide business messages in his daily video conference with his family.
What You Don't See Can Hurt
In the past, stego has primarily been used by criminals to evade law enforcement, but it's increasingly used by malicious insiders to steal information that could cost your company millions of dollars.
On the other hand, stego can also be used to protect an organization's critical trade secrets and increase the security of existing security devices.
You are already investing time, money and personnel to secure your company's critical data. If you ignore the risks of stego, your best efforts may be undermined.
This was first published in November 2006