Announcement

Collapse
No announcement yet.

User Monitoring -- Does it improve security?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • User Monitoring -- Does it improve security?

    url1: SecTor's wireless wall of shame an eye opener (Toronto -- Sean Michael Kerner on October 6, 2009 2:58 PM)

    Originally posted by url1
    ... e-sentire explained to me that his company wrote its own application to sniff the traffic. As opposed to Black Hat / DefCon where the the Wall of Sheep sniffed only unencrypted traffic
    ...
    The other problem is that to the best of my knowledge there was no disclaimer when you get on the open WiFi network, or even in the show guide, that the network was being monitored for a wall of shame. That doesn't right right or fair to me.
    ...
    url2: Get Smart About Monitoring Employees (Chris Minnick 9/21/2009)

    Originally posted by url2
    ... Legally speaking, employers have the right to monitor employee computer activities without their knowledge. It’s a good idea for companies to specify in the employee handbook that they may do this -- even if they actually don’t. ...
    url3: New state law sets rules for teacher-student communication(Houma Louisiana -- Daniel McBride , September 29, 2009 at 12:00 p.m.)

    Originally posted by url3
    “The goal of this bill is to make sure there’s a monitoring of personal electronic equipment,” said state Rep. Frank Hoffmann, R-West Monroe, who wrote the bill.

    Specifically, the law requires that school employees who electronically communicate with that school’s students about education must use a school-provided communication system, which can only be

    used for education-related communication.

    Any communication between school employees and students outside the school-provided system must be reported by the employee and logged by the school board.
    It seems there are 3 common arguments used to persuade people to consider monitoring people:
    1) Improve security: For example: limit exposure to sensitive information being leaked to unauthorized sources and when it happens, increase the chances that it will be logged. Another Example: find weak authentication credentials or protocols. More example.
    2) "For the children": Invade privacy to stop kids from being harmed.
    3) Productivity assessment

    There are more arguments proposed, but the above examples seem to appear to most.

    Let's consider these one by one.

    "Improve security." This is often the argument, but when implemented, how often is this the sole use of the system? Additionally, simple monitoring does nothing to improve security. Only action taken as a result of considering what problems exist as a result of analysis of monitored content have a chance to improve security.

    "For the children": In the above example from url3, there is an interest in monitoring electronic communication between students and teachers. Why? Does the school not trust the teacher? If they can't trust a teacher to behave with students while working *electronically* with children, then why do they allow the teacher to interact with them *physically"? Maybe this is part of security as the schools wants to limit their liability or exposure.

    Lastly, "productivity": Why? It seems to me that there is an attempt to use the technology to try to solve a social problem. Taking away someone's Internet because you monitored them checking stocks or email. If you can't trust your employees to actually work when you pay them to work, why are they your employees? Get rid of the dead weight and get people that will work when you pay them.

    Where is the improvement to security when monitoring public users or employees?

    What about "public and free access points? Is it legal to monitor users and take their saved credentials without notifying them? And if their credentials unlock access to IP or copyrighted content, could the DMCA apply in some way? (We know it could be abused.)
    Last edited by TheCotMan; October 6, 2009, 18:04.

  • #2
    Re: User Monitoring -- Does it improve security?

    Originally posted by TheCotMan View Post
    (many interesting things about monitoring and security)
    There's another issue here, which is tangentially related to security, and is often a reason for monitoring. We even saw a long (and interminable) thread on the problem, which is that monitoring is often related to legal issues.

    Most of my experience with monitoring has had more to do with documenting malfeasance or inappropriate behavior than with any interest in productivity.

    When (non-technical) employees first discovered the internet, we even had a vendor in who swore that we needed the fancy blocking software they were offering to keep everyone out of the porn sites. I assured him that the geeky engineer types I knew had no interest in porn, and set up a monitoring system for a week to demonstrate (and keep the higher ups from installing such a stupid tool). Yep, you guessed it. Financial sites, sports sites, slashdot, yahoo search (this was long before google), babelfish, but no porn. None. Saved us a ton of money.

    In general, the fourth issue (monitoring for documentation purposes rather than for productivity) turns out to be essential for most large companies. You can't say that someone has violated policy if everyone is doing something, and you can't fire someone for going to forbidden sites unless you have logs of dates and times that show a deliberate pattern (not just an accident due to clicking on the wrong link).

    In reference to the idea that this improves security in general, there are some points in favor of this. Most notably, once a bad site is identified as containing malware, it can be blocked at the firewall. Unusual traffic to or from an internal machine may be evidence of an infection, and only monitoring is going to show what is usual so that <b>unusual</b> becomes meaningful.

    Interesting question. I may return to this later today (but I need more coffee first).

    Comment


    • #3
      Re: User Monitoring -- Does it improve security?

      I can only talk on the small scale in which we deal with at our work, but monitoring only seems to do something at the end of an event. (Unless its a malware site that has not already been blocked, the firewall then flags it and blocks it) We block and log site views, but we only run the reports when an IA comes up or a supervisor wants to check to see what their employees are doing. This has caused problems in my department (IT) as the technicians often go to great lengths to bypass this filter and not have their web usage log, more recently our deputies have figured out ways to bypass the filter and they are viewing infected sites and causing malware breakouts.

      I think monitoring and blocking serves a good purpose, but only to the point till users try their hardest to break the system. Some of the stuff that is blocked can run to be pretty stupid (Sourceforge was blocked till I whitelisted it) and often leading people to wonder why its there. In our case, we have employees going to great lengths to break the rules in order to visit (somewhat) trivial sites. (flickr is another one)


      Public wifi is a whole different beast. I think that wifi providers need to block and monitor web traffic, but at the same time, not be too invasive of what they are logging. I think if a child pornographer is using a public wifi and the police get involved, it would be nice to have a log to prove that a)yes someone did it from here and b)no, we are not a child pornography ring. Holding onto credentials is a sketchy thing, and I think public wifi operators should warn their users that they do this in plain English instead of the usual EULA that you get, say in a hotel. It should be plain and simple notification:

      1)We log all internet activitiy
      2)We hold an encrypted log of authentication requests
      3)?????
      4)profit.
      "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

      Comment


      • #4
        Re: User Monitoring -- Does it improve security?

        I've never personally heard of employee monitoring as improving security. That sounds more like Sales Strumpet Spiel than anything based in reality. I log all internet activity, but I do not actively monitor it for what's going on. Only if I see an issue or a manager comes to me do I start to go through the logs to see what happened.

        I guess places with a much larger staff could spend time actively monitoring, but I just don't have the time. I did inadvertently catch someone one night watching porn in his office, but I only caught that because I was watching the syslog of the router and saw a whole bunch of sites coming across it when they're shouldn't have been much of any traffic.

        I do agree that the employee productivity is more of a personnel issue than anything else, and most of the time monitoring is turned into a 'which' hunt. Meaning, which employee don't we like and catch doing something wrong. Most of the issues I've experienced in things like this I've always plainly said that it sounds like a personnel issue and the manager should be dealing with it instead of expecting to find a technology solution.
        A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

        Comment


        • #5
          Re: User Monitoring -- Does it improve security?

          I did see a study that said something along the lines of that unhappy workers were more productive workers, so maybe there is something to it.
          - Null Space Labs

          Comment


          • #6
            Re: User Monitoring -- Does it improve security?

            The topic and responses are timely and informative. I have a great interest in this due to a new project.

            FWIW, my thoughts/opinions:

            In response to Cotman's comments:

            *"Monitoring" does not improve "security" persay as it catches/sequesters questionable behavior after the fact. Like, the horses are already out of the barn. It does, however, as pointed out by Shrdlu, provide referential data to block access to unwanted sites at the firewall, monitor "unusual" and provides for documentation of repeated naughty behavior on the part of a user. Useful in potential "unlawful termination" suits.

            *If I were a parent I would be uncomfortable with direct, electronic, private bi-directional communication between my child and their teacher(s). It is difficult enough finding out what is being communicated in the classroom until after the fact. Having said that, perhaps parents of these students should think twice about providing devices that allow for these types of communications to their spawn. This is a sticky wicket and will become even stickier.

            *In agreement with g3k, all companies should advise their employees that their access to ANYTHING may be monitored. It is the employer's network. They may do with it what they wish. If the employee believes that their privacy is being violated then perhaps they should quit their job, collect unemployment and sit around placing bets in the racing pool and checking out Audrina Patridge's latest skanky near nude photos -- On internet access they pay for themselves.

            *While it may or may not be legal to snag credentials from an "open" network, it is morally and ethically wrong to not advise people upfront that this may happen even if they are too stupid so as to ignore the warning. Again, I agree with g3k. Make it simple so the stupid can simply see it.

            *Caveat emptor. I hope that I am not so arrogant as to believe I can do whatever I wish on a client or public network without potentially being held liable for that activity. That, I believe, is called insanity. Let the user beware. If I want to pay my bills and check out /. or defcon forums during my lunch hour, I will ask my supervisor.

            *To both Cotman's and streaker69's productivity comments: In certain circumstances monitoring for "productivity" is an element of a business silo charter. For instance, Customer Service or Tech Support. Other silos are a bit cloudy.

            Summing this up, I affirm that user monitoring in many business cases can be sound and effective if the following are solidly nailed down:

            *why (and the wholesale statement "to improve security" without specific goals stated does not cut it)
            *who is to be monitored?
            *what is/are the objective(s) to this monitoring?
            *when shall the data collected and in what manner shall the data collected be provided to the business silo manager?
            *where shall the monitoring take place? Firewall? Routers? Applications? Desktop? Aggregation engine?
            *How shall the organization as a whole proceed with this data? If a user is found to be in violation of company policy, what are the steps to correct the behavior or terminate the employee?

            Which leads to policy and procedures, which I have found severely lacking in most companies who have deployed employee monitoring devices/software/features/blah. Without specific guidelines on how this type of monitoring is used, it is open to abuse as noted by streaker69.

            Sorry for the short novel y'all. Thanks for allowing me to rant.

            Regards,

            valkyrie
            _______________________________________
            sapere aude

            Comment


            • #7
              Re: User Monitoring -- Does it improve security?

              Most responses to this thread from what I've seen are right on the head. Monitoring to improve security is bullshit, period, I don't think this crowd requires a detailed and long winded explanation as to why. However, monitoring to accomplish a well defined end is usually needed, and productivity is a prime example. If I were interested in leaking your companies trade secrets, or visiting my favorite pr0n site, or even attempting to socially interact with an employee, in an appropriate manner or not, I'm sure as hell not gong to do it on your network. Now if I worked for you, and was going to slack off on the clock, browsing my email, checking stocks, shopping, etc. yeah, I'd probably do it on your badwidth, why not? I'm doing it on your time, right?

              If this were a consistent case of these kinds of activities, and I were in the boss' chair, I'd not just want that dead weight cut, I'd need it cut in order to keep things running. Productivity data is really the only thing that monitoring is worth gathering in the real world from my own experience. Identifying and closing security holes is what audits are there for. Identifying and ceasing harassment or potential harm is what human resources is there for. Just my 2ยข in the pot.
              "You have cubed asscheeks?"... "Do you not?"

              Comment


              • #8
                Re: User Monitoring -- Does it improve security?

                As far as Monitoring gos at my co i don't! of course i keep logs and go through them periodically I know my employees and i have them trained in proper use of computers @ work + i just block the sites at the firewall and keep the shit updated... The first step in security is the end user

                Comment


                • #9
                  Re: User Monitoring -- Does it improve security?

                  I have also "heard" of companies that monitor the wifi traffic because they have competitors that are also customers. It's amazing what people will view on a competitors work site.

                  Be careful when using a competitors wifi, because it may be monitored. It's not a great idea to view proprietary information when on a competitor's site.

                  Comment


                  • #10
                    Re: User Monitoring -- Does it improve security?

                    Originally posted by heisenbug View Post
                    I have also "heard" of companies that monitor the wifi traffic because they have competitors that are also customers. It's amazing what people will view on a competitors work site.

                    Be careful when using a competitors wifi, because it may be monitored. It's not a great idea to view proprietary information when on a competitor's site.
                    It is best to assume that anytime you're on a network that it is being monitored.
                    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                    Comment


                    • #11
                      Re: User Monitoring -- Does it improve security?

                      This may be somewhat of a necro? Apolojize if it (last reply 1-7 so not that bad), but how about monitoring in the case of a "whistle blower" alerting managment "or the authorities that be" that some sort of nefarious behaviour is taking place. I think that case by case stringently reviewed approvals along with "group productivity audits" are good (as stated above). But otherwise, even if it does increase security to some marginal degree, it is not worth the loss of trust and reciprocal respect dynamic that would likly disappear after such a policy was enacted.
                      OpenBSD for the functional paranoid... Live only kernels for the nonfunctional one

                      Comment


                      • #12
                        Re: User Monitoring -- Does it improve security?

                        Well, its an enterprises network, they dont have to have a user agreement or give warnings of any kind, as long as your on their computer, your suseptible to any monitoring they desire.

                        Comment


                        • #13
                          Re: User Monitoring -- Does it improve security?

                          Originally posted by Fallenour View Post
                          Well, its an enterprises network, they dont have to have a user agreement or give warnings of any kind, as long as your on their computer, your suseptible to any monitoring they desire.
                          It is actually common practice to inform employees that monitoring is taking place. Same as putting a sign up that there are video surveillance cameras in place. It's a way for a company to protect themselves from potential lawsuits regarding an employee thinking they had an expectation of privacy when in reality they did not.

                          HR normally supports having such notices in place, and IT should support it as well as it is good for covering their own butts when someone questions why something was monitored.
                          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                          Comment

                          Working...
                          X