I was hoping some IT professionals could answer a couple questions…
I work for a company where we calibrate certain prototype things . I have reason to believe that a fellow employee might be stealing calibration and/or other sensitive files for a third-party, but I cannot prove this afaik. I have a strong suspicion that this individual is potentially a “spy”. However, I can’t risk opening this can of worms if there is no way to catch him other than red-handed.
Our computers are all networked together, and if someone can just pop in a thumb drive is there any way to see if this data is being stolen? Any way to see if “file-X” was recently copied to an unknown location (thumb-drive) at such and such data and time? Surely, there must be something that keeps track of stuff like this? All I know for sure is that we have many, many computers with access to various shared drives that our engineers and technicians can all use to move data and files between a test-cell where data originates from. It seems very insecure to me…is it?
I don’t want to cause a big scene unless I am sure…but since thumb-drives are so prevalent these days what really is there that one can do to safe guard sensitive data other than hope that the local IT gods here have thought of thumb-drive risks and at least instituted a system to track what is copied and/or moved from hdd over to floppy or thumb drive.
There really isn’t anything native to the Windows, I’m assuming Windows, OS that does that kind of tracking. There are software products that do track that, but all will require you to install a client on the machine you want to monitor, and none that I know of are free. So it looks like you’ll have to make more of a comitment than it appears you want to make.
That the files reside on a network volume does mean there is a process by which the local machine has to explicitly ask for them, and that request can be logged, but it depends how it’s set up on your particular network - it might only be configured to log connection to the shared folder, rather than each and every file access event.
Windows has built-in auditing, so you can monitor the success or failure of lots of things, including file access. You can do it per file(s), obviously, because you probably fdon’t want to monitor access to every single file!
You need to enable auditing for whatever kinds of activity you are interested in, using Group Policy or Local Policy. Then you can just use right-click/Securtiy/Advanced to control who gets audited for what.
Although I’m not sure how much use that would be to the OP - sounds like they want to allow the engineers to copy the files around internally, just not to certain destinations such as removable disks. But if you can read a file, you can copy it.
If you’re on XP or 2000, there are third-party apps such as DeviceLock that let you control what can be done on a USB port via Windows Group Policy.
As far as file auditing goes, you really need an infrastructure in place to handle it - our Active Directory installation logs in excess of eleven billion file transactions per month. Of course, we also have over 100,000 employees, and the OP’s company sounds like it has less than 100, but if you don’t have automated log analysis tools and a staff of people to manage it, it can be nearly impossible to deal with the resulting millions of transactions.
(Assuming Windows out-of-the-box.) If someone has read access, that someone can copy. There’s no easy way to disallow copy-to-USB stick, though if you Google on it, you’ll see loads of info on that subject. No, Windows do not keep track of reading/copying files, but as said, you can configure an audit policy. That is, you first enable Success Audit object access in Active Directory’s group policy, or you enable it locally, opening the local policy object with gpedit.msc. Walk your way down through Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy (from memory, but should be good enough). Enable Success Audit object access. In run, type Gpupdate /force, to have this taking effect immediately.
Now, open Properties for the file you want to audit, choose Security tab, Advanced button, Auditing tab. Add your friend. Choose for instance, Allow Read.
The result is, that next time the guy copies a file, or read it, Windows will create events i Even Viewer’s Security log.
That’s the best you can do out of the box. You need Administrator’s rights/permissions in Windows to do this.
Ye, it is insecure. Read your company’s policy on such matters and follow it. If there is no such policy, raise your concerns - including the lack of policy - with your Compliance / Security and IT departments. Don’t tell them he’s stealing the info but raise concerns about how this person’s activities have made you think about security and maybe they’d like to investigate, both on the personal and on the general level? Make sure your manager knows in advance.
I know absolutely nothing about computer security or hacking.
But would it be possible to use a keystroke-logging device on the suspect’s computer?
And would it be legal?
But thanks all for you replies. I am gonna read up on my company’s IT policies with regard to thumb-drives and then if they don’t have anything in place I will suggest it.
Easiest way I can think of would be to simply disable the USB ports in BIOS. Computers in many secure areas use several low tech techniques for preventing this type of theft. #1 actual computers are in a locked cabinet that employees cannot easily access from workstation. #2 remove all drives/connectors that can be used to easily offload data. I have seen several situations where machines can only access files/apps via network and lack CDrom drives, usb ports, floppy drives, etc.