How to Prevent Screen Photography, File Uploads, and Other Leaks with Technical Measures
(This article was first published on Zhihu)
Companies dealing with confidential information usually divide their areas into low, medium, and high confidentiality zones:
- Low confidentiality zone: For image streams, video streams, and information streams, it has a certain leak detection and traceability capability;
- Medium confidentiality zone: For image streams, video streams, and information streams, it has a certain ability to prevent leaks in advance and detect them, and a strong ability to trace leaks afterwards;
- High confidentiality zone: For image streams, video streams, and information streams, it has a strong ability to prevent leaks in advance.
The high confidentiality zone is the simplest, physically isolated, with security equipment at the entrance, and electronic devices such as mobile phones and USB drives are not allowed to be brought in.
The medium and low confidentiality zones are more difficult because the office computers inside can access the Internet, and mobile phones can also be brought into the office. The following discusses how to maintain information security from the dimensions of leak prevention, leak detection, and leak tracing. Leak prevention refers to preventing data from leaking out, leak detection is the ability to discover and report when data leakage may occur, and leak tracing is the ability to trace who leaked the data when the data has already leaked.
There are already many companies specializing in such solutions, and the following are some specific technologies.
Leak Prevention
PC / Laptop
You must use the company’s PC or laptop to access the company’s network. These computers have been strengthened in terms of software and hardware for information security. Seals are affixed to the equipment to prohibit disassembly, and personal devices are not allowed to access the company’s network (the handling of mobile phones is discussed in the next section).
The company’s wireless network only allows low-confidentiality devices to connect, and it uses MAC address and cryptographic handshake protocol dual authentication to prevent external devices from connecting.
The company’s wired network can allow low, medium, and high confidentiality devices to connect, but physical seals must be affixed to the network interface to prohibit unauthorized connection to non-company networks.
The networks of the low, medium, and high confidentiality zones are physically isolated. To transmit data in between, you must go through a designated jump server. To transfer data from a high confidentiality area to a low confidentiality area, you need to go through manual review and have logs. The transfer of encrypted documents and other materials is prohibited.
Through drivers, the use of USB drives, wireless network cards, and other devices with storage and data transmission functions is prohibited.
The company’s internal and external networks are isolated, and you must go through a designated HTTP Proxy to access the Internet. Pre-install the HTTPS root certificate of the network filtering device. When accessing HTTPS websites, the network filtering device replaces it with its own issued certificate, thereby implementing a man-in-the-middle attack and decrypting the HTTPS access content.
The HTTP Proxy blocks cloud storage, email, and other websites, prohibits HTTP requests over a certain size, and prevents unintentional file uploads to the Internet.
Non-standard operating systems and virtual machines are prohibited to prevent bypassing driver monitoring.
High confidentiality files use Office’s permission management function to prohibit screenshots, printing, copying, etc.
Mobile Phone
To use the company’s app, you must grant the highest permissions to the mobile phone system. It refuses to run on rooted phones.
Screenshots are prohibited within the company’s app.
Files within the company’s app are not downloaded locally and cannot be opened by other apps.
Leak Detection
Add kernel hooks in the file system, monitor file system operations, and alert high-risk operations that attempt to bypass security mechanisms, such as non-standard programs accessing document files (especially high-confidentiality documents), modifying file extensions, etc.
HTTP Proxy traffic monitoring, alerting situations where a large number of HTTP requests are generated in a short period of time, or the total data volume of HTTP requests (excluding responses) is too large. The HTTP Proxy analyzes the content of outbound traffic, and if it contains code or document file features, it alerts.
Install hooks in Office software to record the opening time of document files, page turning frequency, etc. Alert situations where a large number of documents are opened in a short period of time, or the page turning frequency is relatively fixed, as this may indicate photography.
Add digital blind watermarks to the display through the graphics card driver or hardware chip, add digital blind watermarks to the company’s mobile app and printer, the blind watermark is best in the frequency domain, and can still restore the watermark content after the picture is rotated, scaled, cropped, compressed, photographed on the screen, and photographed after projection. This has been maturely applied in the film anti-piracy industry.
The company’s app monitors recently added pictures. If a digital blind watermark is found, it indicates that there is a situation of photographing the screen or printed matter.
Add digital blind watermarks to speakers, preferably in the frequency domain, and can restore the watermark content based on the recording.
Alert situations where a large number of documents are printed in a short period of time, or high-confidentiality documents are printed.
Install dedicated hardware in laptops and PC monitors. Based on the principle of physical reflection and refraction of the convex lens of the lens, the dedicated hardware emits invisible light. If there is a sneak shot device, the lens reflects the invisible light to the monitor. If high light is received, it alerts.
Install dedicated hardware in PCs and laptops to detect the electromagnetic waves and ultrasonic features emitted by the camera when taking pictures. The camera imaging relies on the clock to scan line by line and pixel by pixel, and the clock operation will generate extremely low frequency (ELF) electromagnetic waves. But this method has a high false positive rate, and the camera will also falsely report without taking pictures of the screen.
Use the laptop camera to detect cameras, mobile phones, and other objects facing the camera. But it’s useless to cover the camera, and the computational cost of real-time image recognition is high.
Alert situations where someone logs into someone else’s account on an unusual device.
Use social engineering methods to encourage employees to report each other. For example, taking pictures of documents on a laptop with a traditional film camera on a plane, if the camera and the invisible light emission hardware of the detection lens are blocked, and the quantity is relatively small, and the document access volume or page turning frequency alarm is not triggered, it is difficult to find. But there may be other employees on the same plane who may discover this behavior. Or someone posted a photo with the company’s confidential information to an external group, and other employees saw it, they can also report it, and then locate the leak source through the digital blind watermark.
Use social engineering methods to attempt to purchase or obtain leaked company data through third-party channels. If the person who stole the data tries to sell it, they may be discovered.
Leak Tracing
The digital watermark mentioned in the “Leak Detection” section contains user information, which can locate the source of the data leak.
Add kernel hooks in the graphics card driver, periodically capture screen content and report it to the server for future auditing. Security personnel can check screen captures or monitor real-time screen content at any time.
Record the file system access log and upload it through the kernel hooks of the file system. Record and upload the running log of the program.
Record the content transmitted by the HTTP Proxy. Record the program accessing the HTTP Proxy through the hooks in the network protocol stack, focusing on recording the outbound traffic generated by non-standard programs other than browsers.
If abnormal behavior or traffic is detected through the methods in the “Leak Detection” section, you can combine screen captures or recordings, file system access records, program running records, and HTTP Proxy transmission records to manually review whether there are behaviors such as taking photos of the screen, using non-standard programs to “whitewash” confidential files, and uploading confidential files to the network.
Problems That Cannot Be Solved
In fact, the above methods can only detect behaviors such as taking photos and uploading confidential files to the network with a certain probability. It’s possible to get away with it once, but if you do it multiple times, the probability of getting caught will greatly increase. Many people just try it at first, and if they don’t get caught, they develop a fluke mentality. Many of the above leak detection methods are based on big data, and the larger the volume, the easier it is to detect anomalies.
The hardest problems to defend against with the above methods are manual copying and memorization.
However, whether it’s manual copying or memorization, it’s difficult to leak a large amount of information. At least it’s impossible to manually copy out millions of lines of code. And there is still the possibility of being discovered by social engineering methods.
For particularly confidential information, the document content seen by each person has subtle differences in layout format, content details, or specific numbers, or it is directly conveyed by word of mouth. This way, even if it is manual copying or memorization, it can be traced back. This is also a common trick in intelligence work, where the information each person holds is not exactly the same.
By eliminating the possibility of leaking secrets through the network and USB drives, the fastest way to leak information is blocked. Being able to detect a large amount of photo-taking behavior with a high probability also blocks the second fastest way to leak information. The key to company information security is to prevent a person from taking out the full set of code and documents of the entire product.