Employee Exit - Top...
 
Notifications
Clear all

Employee Exit - Top 5 or 10 things to examine system for

9 Posts
7 Users
0 Likes
589 Views
(@rudyr)
Posts: 3
New Member
Topic starter
 

Hi,
I am working on a presentation oriented towards non-technical folks, specifically in the HR department (so, REALLY non-technical).

The intent of the presentation is to raise their awareness regarding IP theft that can occur when employees leave the company. So, things like

- Exporting or forwarding the sales leads / contacts / emails from Outlook
- Copying files off the user's local file system
- Copying files accessed off of network shares
- Etc.

I'm reaching out to the community to see what particular approaches you might take if you were to examine a system of an outgoing employee. Not necessarily the most comprehensive, but if you were time and budget constrained, what might be the 5 or 10 things you'd definitely want to check for. Examples might be

- Log of USB activity
- Browser history / recent searches (e.g. "how to copy files" might be a recent search)
- Mail event history
- Etc.

Very open minded to what people see as possible forms of IP theft I haven't listed, as well as the Top 5 / 10 things to check for (short of a full soup to nuts examination of a machine) as well as the tools you might recommend to conduct the examination (Commercial suggestions like Encase w/ certain scripts is fine, but open source would be interesting as well to present a spectrum of cost options).

Thanks so much in advance!

 
Posted : 21/01/2013 12:51 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

* Log of USB activity.

If you have access to it, sure. However, having access to logs that says when a USB stick with serial number so-and-so were attached to the system - and not which files were copied to/from it - is rather useless.

* Browser history / recent searches (e.g. "how to copy files" might be a recent search)

That works well if the person is a complete idiot. Fortunately, there are some idiots who think that the organisations network is their private one. Depending on your mandate within the organisation, budget and legislation, you can set up TLS interception and dump network trafik. Its not an easy step to take. Well, technically it is easy, but you may experience resistance when you explain it to your boss.

You should also start e-tagging documents so it is possible to autodetect if they leave the network (IDS rules). While it is possible to copy/paste information from document A to document B and resaving it, you can make the tagging part of the text.

* Mail event history

Can be a good source. The best info would be the emails themselves.

* Access to files/documents

A good thing do have would be a document management solution that log access to files, sharing, reading and writing. This will not stop anyone from copying files manually outside the system, but it will show who had access to what information and during what timeperiod, also it can show searches for things that are outside the normal area of a persons line of work. There are some data loss prevention products out as well, but i have not tried any of them and cannot vouch for their effectiveness.

But, the best thing to do would be to mitigate the problem in the first place.

Do everyone really need USB connectivity? If not, turn it off.
Do they need to be able to burn data to DVD? Disable the DVD drive.
Do they even need internet at all?

Someone who sits and develops code for the company, i would call that person an asset, and assets can be given separate laptops to do their surfing on. Laptops are cheap, corporate data is expensive. I know a corporation that had a separate developer network out in the R&D. Entrance to it was strict, no internet, no nothing. (Though you could tell the receptionist that you came from company so and so, and she would gladly hand you the keys to the serverroom roll )

So basically - remove the problem before it hits the fan.

I know this is a forensics forum and all, and forensics is fun - but all it does in this case is to discover that information has been stolen and given away to compeditors, it cannot repair the damage.

 
Posted : 21/01/2013 3:05 am
(@rudyr)
Posts: 3
New Member
Topic starter
 

No doubt that pro-active prevention would be ideal. However, this is specifically for HR to discover ex-post violations by employees who have left the company. Actually, a couple of the things you mentioned have been very useful in work I've done (last USB attached serial #, and users search history for obviously unwise / incriminating queries).

What I'm looking for specifically is what, given JUST the exiting user's laptop, would be the 5 or so things that would be good to search for. So, assume no examination of corporate firewall logs, document management systems, etc. Simply the laptop and what are some worthwhile things to look for (e.g. a USB is plugged in, files are copied, maybe a file that is copied is opened….what remnants are typically left behind from this activity and what allows you to examine it. OR, user exports a PST or exports contacts, what history of that would remain and again, suggestions how to examine it).

 
Posted : 21/01/2013 5:22 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

We did extensive field testing of a USB monitoring process during an announced layoff period - and it was for naught.

Unless USB usage was forbidden, then there is no way to differentiate between naughty versus nice USB copying. Copying a whole bunch of files? Sure, perhaps it's for business continuity. Copying one file? Sure, could be for malicious intent to steal but falls way beneath our threshold.

Even with active desktop monitoring (e.g. spector cne), it requires a team of individuals to step through the screenshots, attributing context to the employee's actions.

In the end Legal said, we trusted them before we announced them layoffs, we have to trust them afterwards.

 
Posted : 21/01/2013 7:11 am
(@athulin)
Posts: 1156
Noble Member
 

However, this is specifically for HR to discover ex-post violations by employees who have left the company.

If HR (or CISO or …) has a concept of violation, then there's no point in listing random things make a list of *their* violations, prioritize them, and then use that. That's at least a search with a specific target.

If saving classified documents is an issue, then search for those. If unlicensed software is an issue, then search for that. If use of non-approved USB devices is an issue, look for that.

But looking for, say, indications that cleaner software has been used … is kind of useless. An IT-savvy person would probably use one in order to protect any personal stuff that may be left – I know I do.

Much better to save the hard drive on the off chance that there may be future developments.

Still … if anything like such search-for-unknown-and-unsuspected-infractions is performed, make sure the cost of it is kept track of closely, and evaluated at least once every three months. That allows for economic sanity to interfer with the program.

 
Posted : 21/01/2013 12:44 pm
 Rong
(@rong)
Posts: 15
Active Member
 

One of the standard reports that gets sent to HR when they think data may be walking out the door are Network Print Logs. The logs won't give you the actual document but we do get Time of print jobs, document name and path of where document resides.

Yes, it didn't stop the data from going out but now our legal department can start doing what they do to lessen the damage.

 
Posted : 24/01/2013 8:29 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm reaching out to the community to see what particular approaches you might take if you were to examine a system of an outgoing employee. Not necessarily the most comprehensive, but if you were time and budget constrained, what might be the 5 or 10 things you'd definitely want to check for. Examples might be

As has already been mentioned, I would think that the best place to start is to go to HR (or just your target audience in general) and determine what they feel is a "violation". For some organizations, "surfing pr0n" might be a violation of acceptable use policies, but they might not have thought of "IP theft" as an issue.

You mention USB devices…there are a number of freeware tools that are available to assist you with this, but most use the publicly-accepted process for determining USB thumb drives and external drive enclosures connected to systems, and as such, miss other rather ubiquitous devices.

Very open minded to what people see as possible forms of IP theft I haven't listed, as well as the Top 5 / 10 things to check for (short of a full soup to nuts examination of a machine) as well as the tools you might recommend to conduct the examination (Commercial suggestions like Encase w/ certain scripts is fine, but open source would be interesting as well to present a spectrum of cost options).

I'm creating the Forensic Scanner application for examinations just like what you've described. I'm doing so, in part, to make it easier to do these sorts of exams quickly, but also because while the tools are out there, most of them do not work together.

If you want to discuss your original topic offline, you can reach me at keydet89 at yahoo dot com.

 
Posted : 29/01/2013 12:18 am
(@davnads)
Posts: 41
Eminent Member
 

Perhaps this is relevant - http//davnads.blogspot.com/2011/11/intellectual-property-ip-theft-and.html

 
Posted : 30/01/2013 9:32 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I am working on a presentation oriented towards non-technical folks, specifically in the HR department (so, REALLY non-technical).

Contact me offline…I'm working on a product right now that will meet your requirements.

 
Posted : 30/01/2013 9:54 pm
Share: