Monitoring servers from theft the quickest way possible 1

[EllaMonroe]

hi, we have an employee who got fired and we are looking for a way to monitor our servers from employees willing to steal information for money being offered by him. (been seen soliciting employees)

we have 200 workstations and no management software to manage them all fast. we must install o rmonior any media being exported for cold hard cash... screen shots, emails, files, win a windows enviroment...users are not admin and have resricted rights on their stations...

what would be the easiest way to monitor this type of behavior? i have one sql server which i would not want him to take from.
thank you

 

[iownroot]

You actually need a few things.

1. You need a strict enforceable policy. You need to probably consult a legal entity to explain what can legally be classified as corporate espionage, what things you have that can be classified as trade secrets, and/or proprietary information. Once you have all the data and resources classified in this manner, you can then create policies that reflect the seriousness of giving data to this person or anyone else not authorized for that matter. Which brings us to the next point. You also need to have management decide what data belongs to what classification. This will not eliminate the threat, but it will reduce it. Once you have a clearly defined policy, you need to have all employees made aware of it (awareness training or meetings). Then they should all sign it. All the technical controls in the world won't help you if you don't have this covered.

2. If there's not a clearly defined reason for every employee in the company to have access to all data in the company, then they shouldn't have it. Even if they do have access to it, that access should be limited to what is required for them to do their jobs. This can be realized by group assignments and permissions. All privileged access should be audited. This includes copy, and write permissions. Sounds like your OS is Windows, so you'll need to carefully construct some custom event log settings. There's tons of information on doing this on the web at random and more specifically in the Microsoft KB articles. I would probably set up some type of proxy or if you really know linux, snort. You can use snort to alert as to when certain files or folders are being sent across the wire (Snort is known as an IDS solution, but it's useful for other situations also).

3. You say you don't have any management software, but if your data and it's protection and integrity maintenance is as important as you make it sound, you should definitely have some management package (there's some pretty cheap ones and free ones that'll get the job done).

4. After you've done all these things and have them in place, you need to test the effectiveness of your protection.

These things are just a start and some basic reccomendations. It should at least get you started and headed in the right direction.

Good luck.

CISSP,ISC2 Affiliate & Instructor, MCT, MCSE2K/2K3, MCSA, CEH, Security+, Network+, CTT+, A+

 

[tfg13]

Very good points iownroot. You pretty much covered everything.....