Display-only file server: a solution against information theft due to insider attack

Insider attack is one of the most serious cybersecurity threats to corporate America. Among all insider threats, information theft is considered the most damaging in terms of potential financial loss. Moreover, it is also especially difficult to detect and prevent, because in many cases the attacker has the proper authority to access the stolen information. According to the 2003 CSI/FBI Computer Crime and Security Survey, theft of proprietary information was the single largest category of losses in the 2003 survey totaling $70.1 million or 35% of the total financial loss reported in that survey. In this paper, we describe the design, implementation and evaluation of an industrial-strength solution called Display-Only File Server (DOFS), which can transparently and effectively stop information theft by insiders in most cases, even if the insiders have proper authorities to read/write the protected information. The DOFS architecture ensures that bits of a protected file never leave a DOFS server after the file is checked in and users can still interact with the protected files in the same way as if it is stored locally. Essentially, DOFS decouples "display access" from other types of accesses to a protected file by providing users only the "display image" rather than the bits of the files, and applies the thin-client computing model on existing client-server applications.