Removable drive security monitoring method and system

摘要

A method of detecting the unauthorized use of removable storage drives to obtain data from a computer network. An automated software process periodically polls the various logical disks in a computer or computer network for removable data drives, determines which are high risk removable data drives, and monitors these removable drives every few seconds. The process checks for security problems by file name, or mismatch in privileges, or suspicious file write, copy or copy-delete patterns of usage. If a preset risk threshold is exceeded, the system then alerts system administrators. In a preferred embodiment, the method may be implemented on network administration systems such as Windows management instrumentation (WMI) using default scripting or process tools such as VBscript.

主权项

1. A method of detecting unauthorized use of removable storage drives to obtain data from a computer or computer network, said method comprising:
initiating an automated software script or process to periodically poll various logical disks in a computer or computer network for removable data drives, thereby creating a list of removable data drives; wherein said software script or process periodically polls said various logical disks at least every 10 seconds; determining which removable data drives on said list of removable data drives are high risk data drives, thereby creating a list of high risk removable data drives; monitoring the file activity on at least one of said high risk removable data drives; determining if a file name, mismatch in expected file usage, or a pattern of file activity on said at least one of said high risk removable data drive matches exceeds a preset risk threshold; and if said preset risk threshold is exceed, executing a preset suspicious activity function.