Re: User Monitoring -- Does it improve security?

There's another issue here, which is tangentially related to security, and is often a reason for monitoring. We even saw a long (and interminable) thread on the problem, which is that monitoring is often related to legal issues.

Most of my experience with monitoring has had more to do with documenting malfeasance or inappropriate behavior than with any interest in productivity.

When (non-technical) employees first discovered the internet, we even had a vendor in who swore that we needed the fancy blocking software they were offering to keep everyone out of the porn sites. I assured him that the geeky engineer types I knew had no interest in porn, and set up a monitoring system for a week to demonstrate (and keep the higher ups from installing such a stupid tool). Yep, you guessed it. Financial sites, sports sites, slashdot, yahoo search (this was long before google), babelfish, but no porn. None. Saved us a ton of money.

In general, the fourth issue (monitoring for documentation purposes rather than for productivity) turns out to be essential for most large companies. You can't say that someone has violated policy if everyone is doing something, and you can't fire someone for going to forbidden sites unless you have logs of dates and times that show a deliberate pattern (not just an accident due to clicking on the wrong link).

In reference to the idea that this improves security in general, there are some points in favor of this. Most notably, once a bad site is identified as containing malware, it can be blocked at the firewall. Unusual traffic to or from an internal machine may be evidence of an infection, and only monitoring is going to show what is usual so that <b>unusual</b> becomes meaningful.

Interesting question. I may return to this later today (but I need more coffee first).

Re: User Monitoring -- Does it improve security?

I can only talk on the small scale in which we deal with at our work, but monitoring only seems to do something at the end of an event. (Unless its a malware site that has not already been blocked, the firewall then flags it and blocks it) We block and log site views, but we only run the reports when an IA comes up or a supervisor wants to check to see what their employees are doing. This has caused problems in my department (IT) as the technicians often go to great lengths to bypass this filter and not have their web usage log, more recently our deputies have figured out ways to bypass the filter and they are viewing infected sites and causing malware breakouts.

I think monitoring and blocking serves a good purpose, but only to the point till users try their hardest to break the system. Some of the stuff that is blocked can run to be pretty stupid (Sourceforge was blocked till I whitelisted it) and often leading people to wonder why its there. In our case, we have employees going to great lengths to break the rules in order to visit (somewhat) trivial sites. (flickr is another one)


Public wifi is a whole different beast. I think that wifi providers need to block and monitor web traffic, but at the same time, not be too invasive of what they are logging. I think if a child pornographer is using a public wifi and the police get involved, it would be nice to have a log to prove that a)yes someone did it from here and b)no, we are not a child pornography ring. Holding onto credentials is a sketchy thing, and I think public wifi operators should warn their users that they do this in plain English instead of the usual EULA that you get, say in a hotel. It should be plain and simple notification:

1)We log all internet activitiy
2)We hold an encrypted log of authentication requests
3)?????
4)profit.

Re: User Monitoring -- Does it improve security?

I've never personally heard of employee monitoring as improving security. That sounds more like Sales Strumpet Spiel than anything based in reality. I log all internet activity, but I do not actively monitor it for what's going on. Only if I see an issue or a manager comes to me do I start to go through the logs to see what happened.

I guess places with a much larger staff could spend time actively monitoring, but I just don't have the time. I did inadvertently catch someone one night watching porn in his office, but I only caught that because I was watching the syslog of the router and saw a whole bunch of sites coming across it when they're shouldn't have been much of any traffic.

I do agree that the employee productivity is more of a personnel issue than anything else, and most of the time monitoring is turned into a 'which' hunt. Meaning, which employee don't we like and catch doing something wrong. Most of the issues I've experienced in things like this I've always plainly said that it sounds like a personnel issue and the manager should be dealing with it instead of expecting to find a technology solution.

Re: User Monitoring -- Does it improve security?

I did see a study that said something along the lines of that unhappy workers were more productive workers, so maybe there is something to it.

Re: User Monitoring -- Does it improve security?

The topic and responses are timely and informative. I have a great interest in this due to a new project.

FWIW, my thoughts/opinions:

In response to Cotman's comments:

*"Monitoring" does not improve "security" persay as it catches/sequesters questionable behavior after the fact. Like, the horses are already out of the barn. It does, however, as pointed out by Shrdlu, provide referential data to block access to unwanted sites at the firewall, monitor "unusual" and provides for documentation of repeated naughty behavior on the part of a user. Useful in potential "unlawful termination" suits.

*If I were a parent I would be uncomfortable with direct, electronic, private bi-directional communication between my child and their teacher(s). It is difficult enough finding out what is being communicated in the classroom until after the fact. Having said that, perhaps parents of these students should think twice about providing devices that allow for these types of communications to their spawn. This is a sticky wicket and will become even stickier.

*In agreement with g3k, all companies should advise their employees that their access to ANYTHING may be monitored. It is the employer's network. They may do with it what they wish. If the employee believes that their privacy is being violated then perhaps they should quit their job, collect unemployment and sit around placing bets in the racing pool and checking out Audrina Patridge's latest skanky near nude photos -- On internet access they pay for themselves.

*While it may or may not be legal to snag credentials from an "open" network, it is morally and ethically wrong to not advise people upfront that this may happen even if they are too stupid so as to ignore the warning. Again, I agree with g3k. Make it simple so the stupid can simply see it.

*Caveat emptor. I hope that I am not so arrogant as to believe I can do whatever I wish on a client or public network without potentially being held liable for that activity. That, I believe, is called insanity. Let the user beware. If I want to pay my bills and check out /. or defcon forums during my lunch hour, I will ask my supervisor.

*To both Cotman's and streaker69's productivity comments: In certain circumstances monitoring for "productivity" is an element of a business silo charter. For instance, Customer Service or Tech Support. Other silos are a bit cloudy.

Summing this up, I affirm that user monitoring in many business cases can be sound and effective if the following are solidly nailed down:

*why (and the wholesale statement "to improve security" without specific goals stated does not cut it)
*who is to be monitored?
*what is/are the objective(s) to this monitoring?
*when shall the data collected and in what manner shall the data collected be provided to the business silo manager?
*where shall the monitoring take place? Firewall? Routers? Applications? Desktop? Aggregation engine?
*How shall the organization as a whole proceed with this data? If a user is found to be in violation of company policy, what are the steps to correct the behavior or terminate the employee?

Which leads to policy and procedures, which I have found severely lacking in most companies who have deployed employee monitoring devices/software/features/blah. Without specific guidelines on how this type of monitoring is used, it is open to abuse as noted by streaker69.

Sorry for the short novel y'all. Thanks for allowing me to rant.

Regards,

valkyrie
_______________________________________
sapere aude

Re: User Monitoring -- Does it improve security?

Most responses to this thread from what I've seen are right on the head. Monitoring to improve security is bullshit, period, I don't think this crowd requires a detailed and long winded explanation as to why. However, monitoring to accomplish a well defined end is usually needed, and productivity is a prime example. If I were interested in leaking your companies trade secrets, or visiting my favorite pr0n site, or even attempting to socially interact with an employee, in an appropriate manner or not, I'm sure as hell not gong to do it on your network. Now if I worked for you, and was going to slack off on the clock, browsing my email, checking stocks, shopping, etc. yeah, I'd probably do it on your badwidth, why not? I'm doing it on your time, right?

If this were a consistent case of these kinds of activities, and I were in the boss' chair, I'd not just want that dead weight cut, I'd need it cut in order to keep things running. Productivity data is really the only thing that monitoring is worth gathering in the real world from my own experience. Identifying and closing security holes is what audits are there for. Identifying and ceasing harassment or potential harm is what human resources is there for. Just my 2¢ in the pot.

Re: User Monitoring -- Does it improve security?

As far as Monitoring gos at my co i don't! of course i keep logs and go through them periodically I know my employees and i have them trained in proper use of computers @ work + i just block the sites at the firewall and keep the shit updated... The first step in security is the end user

Re: User Monitoring -- Does it improve security?

I have also "heard" of companies that monitor the wifi traffic because they have competitors that are also customers. It's amazing what people will view on a competitors work site.

Be careful when using a competitors wifi, because it may be monitored. It's not a great idea to view proprietary information when on a competitor's site.

Re: User Monitoring -- Does it improve security?

It is best to assume that anytime you're on a network that it is being monitored.

Re: User Monitoring -- Does it improve security?

This may be somewhat of a necro? Apolojize if it (last reply 1-7 so not that bad), but how about monitoring in the case of a "whistle blower" alerting managment "or the authorities that be" that some sort of nefarious behaviour is taking place. I think that case by case stringently reviewed approvals along with "group productivity audits" are good (as stated above). But otherwise, even if it does increase security to some marginal degree, it is not worth the loss of trust and reciprocal respect dynamic that would likly disappear after such a policy was enacted.

Re: User Monitoring -- Does it improve security?

Well, its an enterprises network, they dont have to have a user agreement or give warnings of any kind, as long as your on their computer, your suseptible to any monitoring they desire.

Re: User Monitoring -- Does it improve security?

It is actually common practice to inform employees that monitoring is taking place. Same as putting a sign up that there are video surveillance cameras in place. It's a way for a company to protect themselves from potential lawsuits regarding an employee thinking they had an expectation of privacy when in reality they did not.

HR normally supports having such notices in place, and IT should support it as well as it is good for covering their own butts when someone questions why something was monitored.