How can I secure a network share from the insider threat?

If you want to prevent an insider from stealing your data, I'd guess you have only one strong defense: don't give them access to the data. In other words, use access control to limit their access to the data. If the insider has access to all the data, prevention is really hard.

One alternative is to detect signs of such misuse: e.g., where someone has accessed far more data than you would expect they would legitimately need for the purposes of their job. Detection is imperfect, and doesn't necessarily provide any great way to recover from such a leak, but it might provide some deterrence.


I can't offer a Windows based solution for your problem, but I can suggest one for Linux which might be adaptable if it will suite your needs.

Use the Samba Audit Module to monitor and log file access. You will then be able to see what users are accessing what files.
You can then either monitor this manually or write a script to detect an unusual amount of file activity.
For instance you could write a script to monitor and if a user pulls down X files in Y minutes flag an alert and perhaps automatically block their user account till an admin checks what’s going on. It obviously won't stop people stealing your data but will at least give you a better idea of who did and perhaps stop them before they get everything.

Resources

  • How to track windows user access , create files /modify files on linux SMB

I'm going to assume that you've already created folder level permissions. But, you don't mention whether or not you're running a Windows Active Directory Domain. If you are then you'll have a couple of great features up your sleeve, that won't cost you anything.

1) Active Directory Rights Management Server (RMS). This gives you granular control over access to documents, and whether or not people can email documents, print them, convert to PDFs and so on.

2) DFS namespace. Many people use DFS solely for replicating files. But a DFS namespace also acts as a virtual file-share. If people know the name of your file-server then they know a) where the files physically are and b) which server to attack! But a namespace acts as a proxy, so you can bury your files deep in your network.

Using these in combination with standard NTFS and SMB permissions will be a really effective defence. Good luck

Tags:

Windows

Insider Threats

Dlp

Related

Detecting steganography in images Reference implementation of C# password hashing and verification Should I use AntiForgeryToken in all forms, even login and registration? What chars should I not allow in passwords? Is PBKDF2-based System.Cryptology.RFC2898DeriveBytes() "better" for Unicode Password hashing than traditional methods? Problems with avoiding JSON hijacking with MVC3's AntiForgeryToken, or similar token validation How long should a random nonce be? Whats the difference between MAC vs hash What a programmer should know before their web service's client audit Why should one not use the same asymmetric key for encryption as they do for signing? How is PowerShell's RemoteSigned execution policy different from AllSigned? I see entry level security skills as a problem for industry - what can we do about it?

Recent Posts