Detecting uploading using HTTP and copying using USB device

Question

Hi there,

I have been asked by my (pananoid!) boss to do two things 1. Detect when a user uploaded files to the net using HTTP. So for example how can I detect if a user uploads fire to a free webserver somewhere and can hense steal company data

1. Detect that a user is copying files to a USB device and what the name of these files are. Also if they copy a zip file to log the contents of the zip file, in case someone just zips up some company files and takes it like that.

Firstly is number 1 possible? and for number 2 can i detect the file names that are copied?

Secondly, any likes to software that does this?

Note that I am the network admin and everyone who I will monitor has local admin rights on their computer and we do not want to further restrict users access.

Thanks a lot

Answer 1

"Note that I am the network admin and everyone who I will monitor has local admin rights on their computer and we do not want to further restrict users access."

You can have liberty or security, but not both. The number of paths to get data out of an unlocked box are too many to enumerate. Someone zipped up the files and put them on a thumb drive? What if they used tar or shar or pasted them into a Word document, or printed them to a PDF file and sent it out via e-mail steganographically embedded in pornography?

Yeah, a former coworker was stupid enough to send a huge set of huge, logged e-mails to his future employer a couple of days prior to leaving, but you can't count on people being quite that stupid.

What your boss wants isn't possible given a moderately motivated thief and not wanting to "further restrict" access.

Answer 2

Given freely available cryptographically secure tools like OpenSSH (ssh, scp) are usable by almost anyone, what he's asking for is not possible.

Answer 3

There's basically no way to prevent a malicious employee from stealing and exporting data, short of strip searches when entering and leaving the building and no outside network access whatsoever.

Your boss should be more concerned with accidental data leakage (ie, mistyped email address or mistaken reply alls) and breach containment. The series of technologies dedicated to the former are called Data Leakage Prevention. I'm not hip to all their jive, but I bet more than a few companies would be willing to promise you the world if you showed interest.

The latter is mostly done by closely following the "least privilege" mindset. A guy from sales should not be able to use CVS to check out the source code to the product, and a developer shouldn't be able to access the payroll database. Always only grant the minimum amount of access required to someone in order for them to do their job.

Answer 4

ok thanks everyone, but is there a way to detect http uploads and to inspect the file names of what is copied to a USB device?

Answer 5

Short answer: No. Not unless you're willing to "further restrict access".

The access restriction for http uploads would be a filtering internet proxy. Make everyone go through Websense or something, and you have a log of everything they did online.

For the USB devices, no. Your option there, and how companies with security needs of that magnitude deal with that issue, is to tightly lock down the clients and disable USB key use. (as well as CD burners, floppy drives if you still have those, etc) Again, that's going to require intrusive software, something like Landesk, + removing local admin so users can't take the software off.