Setting up a honeypot to test a staff member for trustworthyness

I have been tasked with setting up a honeypot to test whether a particular member of staff is steeling company data. This staff member has been warned before and has admitted he has stolen data in the past.

The manager has give him a second chance but still feels he is taking advantage of his position to access and make copies of the data for himself.

He has asked me to set up a file containing containing fake information and then he wants be to monitor said file for suspicious activity.

Does anyone have any advice on how I can technically achieve this?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cut the cord.
Do you have share file auditing?
User login auditing?
SNMP/snmptrap. Evntwin maps event log events to snmptrap
Event log forwarding?
Copier auditing?
Trace log on document management system

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Delivery means of  "s/w"may include via email, thumbdrive or mobile apps / media. Or even survelliance on top of just the "tampered" file. Also explore the usual central change mgmt system update rollout at company level and target the staff issued assets (including mobile smartphone - not personal ones). The use case can then be usual regular updates send out by central helpdesk on regime patches centrally...  But do test out the  "s/w" with the AV as it may be alerted as suspicious or anomaly threat since the  "s/w" is configured to monitor activities inside these tracked asset on its usage. It is anomalous to rootkit or malice infecting the machine. Likely have to include exception of AV to whitelist "s/w" after verification...

Nonetheless, the email, network and file server checks for data leakage and login attempt by the staff should be considered too since that is where potential area storing the company "gold" and means to exfiltrate out "secrets"... As for  "s/w" - you can check out iSpy (for surveillance),SpyAgent and NetVizor (for asset and usage monitoring). The staff will likely not lower guard and be savvy on his asset too so "s/w" need to really stealthy...

But do see the note (pdf)
The Electronic Communications Privacy Act (“ECPA”):The ECPA prohibits
the interception of wire, oral or electronic communication without consent, but
does not generally apply to an employer’s monitoring of its own e-mail or phone
Personally I would just forget about a "honeypot" trap targeting this single employee and instead just enable stringent monitoring on ALL employees until the bad one is caught.

A lot depends on whether the original warning came after a rock-solid case that would have stood up in a court or appeal tribunal (eg. using qualified forensic analysis).  Many people facing dismissal can be cajoled into making an admission in order to keep their job, or may admit to something they did not do for fear of losing their livelihood, just the same as innocent people will sometimes take a plea bargain to a lesser crime in a criminal court because being found guilty of the more serious crime would mean a worse sentence.

An admission means nothing if the underlying evidence would never have been sufficient to prove the case had it been argued.

If the original investigation was NOT one that could have stood up in court and if employee does steal further data after being singled out for monitoring, he or she may be able to claim that data theft by other employees is systemic and ongoing and may thus be able to create enough wriggle room to claim that he or she was unfairly singled out.  The last thing you would want is a fired employee winning an unfair dismissal claim.

Ideally you want consistent and indescriminate monitoring of all employees (including management) to trap one rogue employee out of remaining honest and good employees.  If any other employees are trapped in the net, then that would just be their tough luck.

I have seen a car theft case being lost on appeal when it was shown that an unlocked "bait car" was deliberately left right outside the car thief's door, thus targeting him in isolation.  Ridiculous I know, but had the juicy trap been left in a more public place, the case would probably never have been appealed.

Does anybody in authority know WHY the employee is stealing the data and HOW it is being used?

If it is being published somewhere by the employee where it is accessible to others, then I could see how it may be useful to create uniquely bogus information, statistics, or other data, and then monitor the employee's publications for this unique and false information appearing, but that may not be conclusive proof in itself though.

Just some of my thoughts from an evidential point of view that is based in criminal activity rather than in employer-employee relations.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

btanExec ConsultantCommented:
if it is a clear cut case of behavior abuses and staff is still allowed to continue on the job then this is the risk which I doubt it is the case or even a company HR policy . henceforth, it is likely to be the case of minor charge (and probably in view of staff contribution), the second chance is allowed then monitoring will not bode well on the employer end - furthermore we need to ask ourselves if this is a consistent treat to all such cases and even make privately only to staff or to all. It does make a difference to the message sent across to everyone including mgmt. and not to the staff of concern.

of course, we are not talking about public shaming and preaching just proper usage, but the annual regime for acceptable usage policy is essential reminder at wide and specific role/involvement of staff in job function for project need to have another AUP catered to it - for the case of awareness of abuses of special privileges in such involvement. Insider threat programme should be planned rather than an one-off target employee one by one adhoc or demand basis.

Privacy protection need to stay in course with incident handling such that company reputation will not be at stake. There are cases where leaking of company IP via staff inadvertently and cases where staff simply being too reckless and being spied by adversary. Eventually evidence trail leading to chain of event need to be investigated and having those monitoring effort may rather be collective rather than a single one-off deployment. It needs to be planned out carefully and supported by mgmt. - safeguard yourself of unnecessary accusation too on the action to be taken. chain of custody is a need and not a want.

Instead of "spying" maybe think of instead reviewing the staff usage and privileges or change of role function if remaining in the company for a period of "restriction" to proof the staff integrity before admitting him into any strategic involvement. Otherwise, strict messaging such as tolerance to any abuses and unauthorized action should not be tolerated and this need strong message to everyone - no second is (and will ever be) given - this is not fear instilling but part of discipline and enforcement.
roy_battyDirectorAuthor Commented:
Thank you Roy
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.