8

We have a network share that contains thousands of files. I am concerned that anyone with access to the internet could copy that information to a CD.

In addition to disabling all removable media, what else could I do to prevent someone from stealing our data?

AviD
  • 72,138
  • 22
  • 136
  • 218
SLY
  • 387
  • 2
  • 8
  • Are they a particular type of files? Do all users have access to all the files and do they require it? – Mark Davidson Feb 14 '11 at 15:54
  • Two words: Air gap. – Iszi Feb 14 '11 at 16:13
  • I don't know if an air gap is practical for our office situation. They are mostly text files and pdfs. – SLY Feb 14 '11 at 16:17
  • It would be hard to segment the information. Perhaps I could lock down files that hadn't been touch in a year. Then I would need a windows solution to allow them to request access easily. – SLY Feb 14 '11 at 16:20
  • 3
    Can you add more context? See the faq. Exactly what access does who have now? If the info is available via CIFS and is only protected by a firewall and possibly a widely-known password on the share, this is not windows-specific since anyone could mount it remotely from most any platform. Do people have internet access from their desktops? Is the information immediately useful to anyone, suitable for resale in bulk or in small pieces, would you know if it was being used, would watermarking help, etc. etc. – nealmcb Feb 14 '11 at 17:28
  • 3
    I agree with @nealmcb, there's almost a good question in here but you need to be more specific about who has access to the info, who needs access to it, what it represents, what formats are used, etc. –  Feb 14 '11 at 17:31

6 Answers6

5

If you want to prevent an insider from stealing your data, I'd guess you have only one strong defense: don't give them access to the data. In other words, use access control to limit their access to the data. If the insider has access to all the data, prevention is really hard.

One alternative is to detect signs of such misuse: e.g., where someone has accessed far more data than you would expect they would legitimately need for the purposes of their job. Detection is imperfect, and doesn't necessarily provide any great way to recover from such a leak, but it might provide some deterrence.

D.W.
  • 98,420
  • 30
  • 267
  • 572
4

I can't offer a Windows based solution for your problem, but I can suggest one for Linux which might be adaptable if it will suite your needs.

Use the Samba Audit Module to monitor and log file access. You will then be able to see what users are accessing what files.
You can then either monitor this manually or write a script to detect an unusual amount of file activity.
For instance you could write a script to monitor and if a user pulls down X files in Y minutes flag an alert and perhaps automatically block their user account till an admin checks what’s going on. It obviously won't stop people stealing your data but will at least give you a better idea of who did and perhaps stop them before they get everything.

Resources

Mark Davidson
  • 9,367
  • 6
  • 43
  • 61
  • 1
    Windows has this capability as well, but most people just turn it off because it would cause a *massive* bloat of the log files. – Iszi Feb 14 '11 at 17:03
  • 2
    @Iszi: if you need to audit that info, it isn't bloat ;) –  Feb 14 '11 at 17:33
3

I'm going to assume that you've already created folder level permissions. But, you don't mention whether or not you're running a Windows Active Directory Domain. If you are then you'll have a couple of great features up your sleeve, that won't cost you anything.

1) Active Directory Rights Management Server (RMS). This gives you granular control over access to documents, and whether or not people can email documents, print them, convert to PDFs and so on.

2) DFS namespace. Many people use DFS solely for replicating files. But a DFS namespace also acts as a virtual file-share. If people know the name of your file-server then they know a) where the files physically are and b) which server to attack! But a namespace acts as a proxy, so you can bury your files deep in your network.

Using these in combination with standard NTFS and SMB permissions will be a really effective defence. Good luck

2

Your might want to give a look at FileAudit, as this software solution monitors, archives and reports on accesses (or access attempts) to sensitive data stored on Windows systems.

With a right click in Windows explorer or from the console, FileAudit instantly gives an error ridden and comprehensive list of:

  • read/write accesses
  • appropriation attempts (accepted or denied)
  • permission modification attempts (accepted or denied)

each record detailing:

  • the user
  • the domain
  • the date and time of connection and disconnection

for:

  • a file
  • a selection of files
  • a folder and subfolders
  • a selection of folders and subfolders
1

Full disclosure: I work for Varonis, but truly and honestly believe that the product I'm about to talk about is very good at specifically addressing insider threats in large file sharing environments.

Varonis is a good option for this. It supports Windows file shares, UNIX/Linix, OneDrive, Exchange, AD, NAS, SharePoint, etc.

It does permissions management (to help enforce least privilege), auditing (so you can see what users are doing) and alerting (so you can detect abnormal insider behavior).

Key permissions functionality:

  • Maps permissions so you can see who has access to which file share data
  • Scans the contents of files so you can see which folders are sensitive and overexposed
  • Let's you model permissions changes in a sandbox so you can see which users will be impacted
  • Execute permissions changes directly from Varonis

Key auditing/alerting functionality:

  • Captures all file share activity from all users in a searchable audit trail
  • Baselines the behavior of users (every file open/move/modify/delete)
  • Alerts when abnormal behavior occurs (an insider decides to grab a bunch of files he hasn't touched in a long time, a service account touches user data, etc.)
  • Can send alerts to your SIEM for correlation

Here's free video course (not sales-y at all) on insider threats developed by Microsoft Regional Director / MVP Troy Hunt. It's a really good overview of the whole insider threat problem and talks about defensive measures.

Rob Sobers
  • 219
  • 1
  • 4
1

There are a range of products to do this, for example the McAfee DLP suite - a lot will depend on the scale required. I have only seen this work well in small to medium sized organisations, as the volume of data becomes incredibly difficult to manage in a larger organisation.

Even organisations that try to adhere to restricted/secret requirements get this badly wrong (wikileaks, anyone :-) )

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320