Abstract—Theft of confidential and proprietary organizational data can be very damaging to an organization. Theft can be hard enough to prevent on its own but even harder when the theft is perpetrated by an insider with legitimate access to the data. If the thief is technically skilled and can create a covert data channel, detecting the theft in process may become still more difficult. Network hardening can reduce the opportunities available for theft and detection techniques can help find even the most covert of data channels.INTRODUCTIONheft of proprietary information can seriously harm an organization and possibly destroy it. Employees with access to confidential information can be persuaded and sometimes frustrated into stealing the information for profit or revenge. Organizations lock down their networks and do not allow removable media such as writable CDs or flash drives. But is this enough to stop a determined insider from taking critical information?TInsiders are people who have or had legitimate access to the organization's networks and data based on job duties. System administrators and business analysts must have access to critical networks, servers and information to complete their duties for the organization. Employees and former employees are sometimes approached by outsiders with the offer of money in exchange for certain organizational information. Employees can also be frustrated by actions and decisions of the organization to the point that they decide to use the organization's information against it in an act of retaliation or revenge.Covert data channels can be a way around a company's physical and procedural protection of its information. If the organization allows any type of communication with the outside world, a covert channel can likely be established. This external communication does not need to include network protocols designed for transmitting user data, in fact almost any protocol can be used including ICMP and DNS. Even completely encrypted communication protocols can be used to create covert channels, without requiring the encryption to be broken or keys to be know.Covert data channels can be thought of in terms of a telegraph and Morse code. Information is transmitted in small amounts and at a relatively slow pace when compared to most protocols on modern networks. Morse code breaks letters down into series of three short or long transmissions. In a covert data channel, messages are broken into small pieces similar to Morse code. Standard binary is often used but any encoding scheme could be used since the transmitter and the receiver are controlled by the same person. In timing channels, a single bit is transmitted during each per predefined time interval. These time intervals can be as small as a few milliseconds so a timing channel can transmit data much faster than a human operated telegraph. Covert data channels complicate the problem of confinement. Ideally, communication between a server and a user should not allow any information that the user considers confidential to be disclosed to unauthorized parties. [4] By manipulating the arrival time of existing network traffic slightly, an insider attack can transmit data using network traffic that was not intended to carry the information.In the remainder of this paper, we will explore statistics about actual insider thefts, the problem of confinement and multiple types of non-standard data channels. Then we will focus in on a particular type of data channel known as a covert timing channel and look at the different sub-types within this type of channel, factors that affect their operation and what can be done to detect them.1. INSIDER INFORMATION THEFTThe Computer Emergency Response Team (CERT) reviewed 40 instances of confidential information theft within critical infrastructure sectors in the United States. Half of the cases reviewed involved not only data theft but other types of insider attacks such as fraud and sabotage. [6]Three-fourths of the attackers were employed with the organization they stole from at the time of the theft. Slightly less than half of the aforementioned attackers had also already accepted a position with another organization. Out of all 40 cases analyzed, four-fifths of the attackers were male and over half of them were in technical positions within the organization. [6]When Insiders Attack: Covert Data ChannelsJoe B. TaylorCS 691 Advanced System Security Design University of Colorado at Colorado Springs1Most of the attackers reviewed under the CERT research did not have to resort to extremely technical means to accomplish the theft. Some used remote access to the organization's network, some copied information to floppy disks and one even installed a modem to dial in from outside to steal the information. [6] Basic physical and procedural tactics should be fully implemented prior to implementing detection of covert channels since the attacker is likely to use the simplest technique possible to achieve his goals.2. PROBLEM OF CONFINEMENTTotal isolation is the absolute solution to the problem of data leaks. [4] However, completely isolating data makes it unusable by anyone and therefore makes total isolation impractical. A practical solution for confinement will have to be a compromise between complete lack of access and reasonable access to allow the data to be utilized by the appropriate people and processes. Since we are focusing on insider attacks in this paper, confinement becomes even harder to deal with since someone within the organization must have access to the data for it to be of any use. Placing physical and procedural barriers around the data will make it more difficult for the data to be moved out of the organization's servers and networks. Computer policies that prevent removable media from being mounted to network computers prevents one easy method to remove data. Securing network traffic to prevent outbound FTP and other data transport protocols can remove another easy to use method to extract information. Beyond the basics of network security, we must