11 Approaches to Employee Data Theft When Someone Leaves

The hotshot developer your company just lost to a competitor could also be your biggest security risk from employee data theft. You shouldn't wait until he's left carrying a 1TB flash drive full of trade secrets to worry about what else may have just walked out the door.

But suppose you need to clean up a mess, or prevent one from occurring after somebody moves on. What steps can you take?

From Irate to Exfiltrate

First, understand what you're stepping into. Employee exfiltration is an underreported problem in network defense. Whether because a former staffer has become disaffected, angry or simply accepting of a better offer elsewhere, there are many ways for a motivated knowledge worker to remove important data. And an IT pro is a special category of knowledge worker for whom data exfiltration is the greatest risk.

Back in 2010, as reported by Network World, DARPA asked researchers to study the ways they could improve detection and defense against network insiders. That program, Cyber Insider Threat (CINDER), attempted to address employee data theft — within military or government facilities. Those DARPA contracts were awarded because insider threats were generally neglected, due in part to a dominant perimeter threat mentality.

Research was well underway when in 2013 Edward Snowden demonstrated the full potential for data exfiltration to any remaining disbelievers.

The takeaway for every system administrator and CSO: If you're only focused on tweaking firewall settings, you may be at risk. Your company's lost data probably won't be published in The Guardian or the The New York Times, and you won't be grilled on "60 Minutes." But you'd be right to sweat it.

Post-Termination Steps

After a termination, there are many steps you could take. The proper course of action will depend upon the employee's access to data, organizational role and, generally, a mature risk assessment framework. Here are a few to point you in the right direction:

1. Today, many employees have company data on their mobile devices. Company-owned or company-managed phones may have remote wipe features, such as through Google Apps. Use these to purge sensitive data.
2. Revocation of encrypted datasets is an approach that, according to TechTarget, allows you to revoke the ex-employee's certificate.
3. Study logs, using tools such as the Ipswitch Log Management Suite, enable you to identify potentially anomalous activity over an extended period of time. The theft may not be recent.
4. Examination of Windows event logs can help identify whether the ex-employee attached USB devices to a company workstation.
5. Catalog all applications accessed by the employee, both on-premises and cloud applications.
6. Working with affected line-of-business managers, identify any sensitive datasets.
7. If the ex-employee had root or sysadmin privileges, wholesale permission schemes and passwords may need to be updated, especially for off-premises resources.
8. Ex-employee-managed workstations (and possibly server instances) should be quarantined for a period of time before returning them to the asset pool.
9. For especially sensitive settings, heightened audit and log monitoring of coworkers for a limited period of time may be called for.
10. For ex-employees who enjoyed privileged access to IT resources, tools such as WhatsUp Gold Configuration Management can identify attempts to relay data to offsite servers or sabotage applications.
11. Know your application risks. Web conferencing tools like WebEx and GoToMeeting, for example, provide the means to share data outside the corporate sandbox.

Match Points

As with other sysadmin duties, you'll have to decide how much effort you should put into mitigating a potential data loss. Knowing which data has been lost and the potential business impact may be just as important as knowing which logs to examine. In the meantime, don't overwhelm yourself with false alarms, and don't underestimate your opponent. These steps can help you even after the employee has left. Best practices have it that you've done much more before the termination event.

You've probably ceded the first few moves to your opponent. A determined adversary's next moves might well include tripwires, sniffers and other mischief — at which point you're going to need even more tools to get things back to normal.