Curious IT employe at my office!

[00700070]

Hi everyone,

i need help, i got good reasons to think that the IT at my office is "sniffing" around some confidential data on our network! He does that from the office, not through the firewall.

How can i catch this guy? Any suggestion? If i install some monitoring tool, i'm scared the IT will find it.

Any solutions are welcome!

Luc
Montreal

 

[MichealC4]

Why don't you contact IT and ask them to help you? I'm sure they would be willing to help you out.

----------------------------
"Security is like an onion" - Unknown

 

[00700070]

The IT "his" the guy doing the sniffing!

 

[Windexx]

Contact your upper management and have them address the issue. Adding 3rd party tools to your production network without prior approval may be grounds for dismissal so it is best not to risk it. Unfortunately, IT staff are normally the owners of keys of the kingdom. Explain to upper management what you feel is being viewed along with the damage it may cause. Suggest a centralized auditing solution for sensitive data that may be monitored.

 

[00700070]

Hi Windexx,
The thing is, that i am the upper management. I have to address the issue, i can't have someone deal with this problem...

I could install monitoring tools, i know about them very much, but i'm positive that the IT will notice it!

And yes, i have a lawyer on the case so that i don't intrude privacy etc...

Maybe a "hardware keyboard sniffer"? But again, every good it goes behind is computer to plug/unplug connectors...

I'm stuck...

Thank's for the response, any other will be welcome!

Luc
Montreal

 

[Windexx]

Seems you are in quite a bad place :-( First make sure that you have a logon notice that states that employees may be monitored. If so, then you may be covered (consult with lawyer) to monitor activities. 3rd party apps are available such as Desktop Surveillance which hides its processes and installs remotely. If the IT staff is not suspecting that you suspect then it may slip well underneath their radar. I'm sure your lawyer will tell you to tread very careful due to possible lawsuits. Otherwise, I don't know any good short-term solutions unless you have enough evidence to fire the employee(s) for one reason or another. A good checks and balance process is having the centralized auditing (realtime) that alerts not just the IT staff but also. Another, is a direct confrontation with the employees (again consult with lawyer).

If the employees do not use auditing in the environment their skillset in using it may be lacking. If that is the case you can turn it on and set it for specific directories only upon access for administrators. As long as you are an admin, you may be able to view the event logs and copy them off. Let me know if you have questions regarding Windows auditing. Dangerous waters though...and you would need them to be not paranoid.

I wish you the best of luck in your situation.

 

[MichealC4]

Indeed dangerous waters. What about bringing in a 3rd party security auditor? That generally includes having the IT department audited as well. Of course you would want to run the idea by your lawyer to make sure you don't run in to entrapment issues and so on.

----------------------------
"Security is like an onion" - Unknown

 

[00700070]

Thank's guys,

i'll think about these solutions over the weekend.

I was wondering, could i setup a "trap", i could put a very interesting document for him to read, clearly marked "confidential" on the network, then having a software to monitor this file, access/read/write ect...maybe this could work?

Thank's again......i need a drink
Have a good weekend!

Luc

 

[speaktek]

I have a simular issue, and I am exploring software solutions to monitor network traffic, specifically as to who viewing/downloading what files (especially accounting files). Can anyone recommend a solution?

 

[AlexIT]

Hire IT staff that you can trust, and/or hire outside IT for "security reviews". The reviewers can bury some logging utilities pretty well, and they will know when someone "disables" their work. They give you a synopsis of what is going on with your network on schedule. Bring them in monthly/bi-monthly/etc. and let everyone know about it.

For other suggestions: you can password-protect MS Office/zip/etc. (Sure you or I can crack most of them in an hour or so, but gives you a reason to ask why the IT machine has been running LOPT for the last 50 minutes...)

Or use Windows EFS, it is challenging even when I have access to your HD. MAKE SURE YOU MAKE A RECOVERY DISK when using EFS - if your HD goes poof all is lost, even the backups are garbage without a backup key!

 

[speaktek]

Unfortunatley...I have a few IT friends...and the stories they tell horify me! We're a small company, but growing...and this is just a safety precaution. 'EFS'...can you direct me to info on that? Isn;t there a program that can log all downloaded files on the network?

 

[MichealC4]

Hire IT staff that you can trust, and/or hire outside IT for "security reviews". The reviewers can bury some logging utilities pretty well, and they will know when someone "disables" their work. They give you a synopsis of what is going on with your network on schedule. Bring them in monthly/bi-monthly/etc. and let everyone know about it.

Which is where I was headed with my statements.

speaktek: EFS stands for Encrypted File System. Windows 2000, you have to install EFS seperately (comes on a floppy disk, providing you are in the US). To be honest, I haven't checked to see what it takes for EFS on XP.

----------------------------
"Security is like an onion" - Unknown

 

[eyec]

you need to make a decision soon as sensitive company/employee data may be making its way out of your company.

hire a third party forensics firm and discuss it with them. they will be able to provide you with the confirmational data and reports that will resolve your suspicions.

at this point that is all they are. whether correct or not you need to put this to rest.

 

[Windexx]

EFS is useless if the IT staff in question are domain admins. Have a corporate-wide solution instead of a bunch of unknown solutions that you cannot control.

3rd party forensics teams will find very little if anything at all as browsing is not "hostile" or leaves much (if any traces).

Confirm employee computer policies are in order. Check different best practices guides for your domain (assuming Windows environment). Ask for procedures on requesting access and how they respond to user requests (they may just give access to anyone that needs it without authorization...it happens). Enable auditing. If sensitive data have your users encrypt data/e-mail with PGP or another technology (not EFS). This seems to be the easiest route for you. If you go this route your company must control the keys and be able to decrypt anything stored in case of emergency or investigation. Another solution are document management systems that encrypt the data and the documents must be checked out and back in. This will give you security and also control who reads and who can change the data.

 

[rn4it]

If you're dealing with IT staff nosing around areas they shouldn't be, you need to replace them. You can go out and buy sniffers(hardware/software) it doesn't matter if there not placed properly or you don't have the community names on the network equipment you're not going to get anything helpful. If the IT staff are internal, there is always a boss above their head escalate the issue to him/her ie Owner of the company. If the IT staff is an outsourced company, hire a new one, usually bigger shops ie EDS will have better escalation procedure if you have a complaint re: an IT personelle.

 

[eyec]

windexx,

forensics analysts will find more than you imagine. they use tools specifically geared toward tracking and tracing activity that others think don't leave much of anything.

forensics does not deal with hostile activities it deals with all activities.

just ask some of the people who are now behind bars or unemployed as a result of forensic investigations.

Luc, if you want to "put up a trap" try using a honeypot.

 

[Tezzie]

Interesting thread - and im on both sides...

I run my own IT business so I know how to cover my own tracks if need be, but also know that once you assign someone an admin account you open your system.

Having a honeypot is fraught with legal problems because your could be in trouble for encouraging a crime to take place (my thoughts)

Would it be best to set the security to block everyone except named people from accessing the folder through NTFS permissions? The down side is that the admin runs a backup of the folder, moves the backup file to another machine and then can extract the data less the security. This also means that there's less audit trail

What amount of files are we talking about, and are these files read only? If so why not move them to CD and only give them to people who requires them?

I have had a bad time with file encryption, lost a load of work because the main machine died and I was unable to decrypt the data.

What does your contract with the IT guy say? My contracts with client points out the Non Disclosure Agreement which allows them to sue me should I release any data under my remit.

Would it be possible to move the files to your own XP Pro machine and share the folder from there? Then you set up local security auditing so you can monitor in realtime the file activity, plus when you leave the office at night the PC is turned off so he/she can't remote access the files from home over a weekend.

Tez

 

[Windexx]

I used to do computer forensics in a past position and conducted some internal investigations. I admit the amount of info that can be dug up is extensive through forensics tools and that it can result in people losing their jobs by digging up evidence. The issue comes with the timing and what is being done. Computer forensics is still at the mercy of the operating system. For example, auditing is only worthwhile if turned on and set to files you would like to audit. If auditing is not turned on then no audit logs to even go back to on backups :-( Slack space, deleted files, and etc are a great source of information. Going through this data on a server looking for access to files I'm afraid will not yield much info I'm afraid. If it happened very recently and know the name of the file(s) then the chances are better. Servers also tend to have a lot of writes on the drives. The issue is that admins will have access to all files or at least the ability to give themselves access (and remove if to cover their tracks). The choices seem to be move the data away from the admins, encrypt the data and have another person control the keys (if applicable). Honeypots can get you into trouble and high lawyer bills...though they are very cool! Consult your friendly neighborhood lawyer for using one to catch someone like Tazzie said.

 

[00700070]

Windexx,

Sorry and the delay, i was out of town, dealing with this issue. I have though of a "honeypot", but i need to monitor the file access to this trap, i'm still searching for a simple program that does it!

Anyways, i don't think i'll have to do this, the guy is going to be interviewed by forensic investigators tomorrow! They will cook the guy... I have build a big case for the forensic team, no real evidence but just enough to give them meet. And in addition, i have found a "disconnected" terminal, hidden behind boxes inthe shop, after some partial review of the system, i have found that all is cracking stuff is still on this machine!?! GAME OVER!

Thank's guys, you have been of a great help during hard times...and specialy Windexx......

A BIG tank's

Luc
Montreal
I'll let you know the end of the story...

 

[eyec]

Luc,

good luck with the outcome. whatever method or means you used, the premise is to safeguard your company, employees and investors.