The leaks of the past a few years each one of the previous failed. The users had baffling access to the information, there were oversights in auditing, and it was somewhat easy to move the information mass out of the secured domain. Leaking was downright easy, and getting caught was not certain.
I took recently a look at different products meant for file access auditing, to solve the part "audit all information usage" in cases where the information systems can not be adapted (COTS). There seems to be a surprisingly large amount of products with different feature sets and value propositions. Some of which have pretty steep prices and highly evolved features.
I got the inspiration to develop my own very simple tool, just for learning new skills and for the heck of it. A few hours of wading through MSDN, nerve wrecking C/C++ programming, tuning and it's ready. Quality is a bit so-so (there might be at least memory leaks, although I attempted to catch them) and I had no accurate specifications, but here it is...
With this application all file accesses (creation of low level handles) cause an event that is logged at centralized log management system. I did not implement hashing the files or gathering them, because it probably has a direct impact on the performance of a desktop, but it would be trivial to add as a feature.
After the information is in the centralized log management system, it is relatively easy to generate for instance weekly report of all the file accesses of users. In AD environments one could fetch information about managers, push the data through a good PDF template, and email the reports. As outcome the managers would get weekly reports of what their underlings have accessed.
When the awareness of the previous would spread, that would raise the bar to even attempt anything in the higher security environments. The impact on the overall security in the long rould would be more significant than the actual technical feature. The information security tools work best when they have a psychological impact. Absurd but true. It's not always the best to crank some technical bolt all the way.
On the other hand, some privacy should be guaranteed to the users by limiting the tool. At least in lower security environments this might come across, because employees probably nowadays have limited rights to use employer's computers for their own matters, for instance accessing banking services while on lunch break.
I would appreciate comments, code review, bug and feature reports, etc!
