Preventing imminent employee data theft

An employee at a client company called today and asked if it was possible to copy the company's data onto his home machine. When I told him that I couldn't help him, he asked if I had the phone number of an old colleague who has left the IT business. He's going to find someone.

The network is well secured against everything else, but I didn't think I'd have to protect it from within.

I only have a couple of days to stop him from walking out with the goods.  (Having him fired is not an option at this point). I thought about EFS, but understand that you can just copy the files to a FAT drive and they're decrypted.

Any suggestions?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If the person in question has the abiltiy to read the file, then they can copy it and take it with them.

If the user doesn't require access to these files then you should use file access control lists to prevent him from accessing the data.

When users need to have access for their job, encryption is not going to help.  He would need to be able to decrypt the file to do his job, and then he can copy the decypted file.

Microsoft Rights Management Server allows you to use a form of DRM to set what a user is allowed to do with a file, and also revoke file permissions.  So even if he did leave, he take off with the files, he would be unable to open it once you terminated his access.  However, RMS is not widely implemented.  Its not easy.  And it sounds like your problem is much more immediate.

I think about all you can do is remind him of applicable law if you really think he is serious.  You may wish to consult a lawyer depending on the sensitivity of these files.
Bassman60Author Commented:
The solution is to walk the guy out the door, but the owner isn't ready to do that.

Seeing as firing is not an option.  How long before this guy walks?  A couple of days?  Surely this data is worth a lot to the company so would it not be prudent just to watch the guy?

He would have to bring in some sort of device to back the data on into the offices and you do have a security policy for that sort of thing?

A product that I have used in the past is Safeguard Advance Security:

This can stop user using USB memory sticks, USB hard drives and CDRW.  It can also stop users from using the PCs CD/DVD devices as well, but I am guessing its too late for that.

As mentioned above I would reduce his rights to the absolute minimum on the data files and watch him.

Good Luck
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Rich RumbleSecurity SamuraiCommented:
In order to copy the file to a FAT drive/partition and have the file decrypted, that user has to have rights to do so... EFS will work in this case if that person doesn't have the rights, such as DomainAdmin (if the pc is joined to the domain) I'd suggest TrueCrypt(free) or Steganos Security Suite(not free) to encrypt the data and keep it from anyone. If only persons you can trust have access there is no need to impliment "hardware limiting" such as the above USB/CD-RW software above. Which won't stop someone from zipping the files and emailing them, or copying them to an FTP server, or just plain-old printing them out to a printer.

EFS is a transparent encryption/decryption for those that have rights, TrueCrypt and others are more "apparent" and will prompt for a password to decrypt.
again: (very bottom)
Note: On NTFS volumes, files remain encrypted even when they're moved, copied, and renamed. If you copy or move an encrypted file to a FAT or FAT32 drive, the file is automatically decrypted before being copied or moved. Thus, you must have proper permissions to copy or move the file.
Sort of agree with your comment about hardware limiting, but I am guessing that the user will have access to the encryption key (if thats the way the poster goes) to the data that he needs to access and surely he would be able to print ;)
Bassman60Author Commented:
My solution needs to be transparent and the user in question needs enough rights to be able to use the data files, which are part of a third-party app, until...well until my customer's attorney answers a couple of business questions unrelated to technology.

For now, the server is going to "crash" Friday afternoon for some inexplicable reason and be offline until I magically fix it Monday morning.
"For now, the server is going to "crash" Friday afternoon for some inexplicable reason and be offline until I magically fix it Monday morning."

Dont forget to put your question here to find out why the server crashed ;)
Rich RumbleSecurity SamuraiCommented:
That is going to make it near impossible... if not impossible. If the app has good logging you may want to review them reguarly, and or turn up M$'s default logging (not very verbose) to a more verbose setup. You can TerminalService to the server and or console it, go to start> run and type Secpol.msc and then modify the Auditing in the security folders. You'll likely need to increase the size of your event log's also to accomodate the more verbose logging.

Your other recourse is to install some sort of keylogging/spy-software such as spector pro on the users PC so that you can have evidence and screen shots of such activities... not much else one can do if access has to be granted, if they can read it, they can copy it to something, be it notepad, a zip file or even place it on a P2P program and have the interested 3rd party search for a very unique file name and DL it...
Bassman60Author Commented:
Thank you all for you help. I'm comfortable telling the owner that there is no technical solution to this. He's going to have to do what he has to do.

Sometimes I hate this business.
Rich RumbleSecurity SamuraiCommented:
Indeed, but if your looking for possible legal evidence SpectorPro will log anything and everything you'd need for prosicution and or disiplinary action should that be an option... It remains hidden from the OS quite well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bassman60Author Commented:
You're right Rich. A record of internet activity and a log of the amount of time that activity has eaten up would also be of value. The problem is that a lawyer would have to sift through it at $250/hr.

I'm not sure how this works. I'm supposed to accept an answer so that someone gets points. However, every answer has been helped me think through this issue and the "right" answer doesn't really exist.
Rich RumbleSecurity SamuraiCommented:
The first answer you accept is the offical accepted answer, the others you accept after that are assisted, the points are distributed between the posters.
If you wanted to save some money, sift through the data first and show it to the lawyer once you've compiled the evidence, keep all the original data intact also.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.