Tuesday, March 6, 2007

Forensic Based Investigations (FBI)

When I read the following article I couldn't overcome the urge of referring you to our FBI product http://www.made4biz-security.com/m4bdocprod/D-FBI.html.

 

Enjoy the reading…

 

Looking Into What We Can Look Into

C.J. Kelly

 

March 05, 2007 (Computerworld) I have been asked to investigate an employee who may be violating agency policy regarding computing resources. That sounds straightforward, but this situation has put into sharp relief the difficulty we have in a state agency when it comes to monitoring employees.

I worked for years in the private sector, where things were cut and dried. If IT security got a request from personnel to investigate an employee’s in-house activities, we would do our thing and gather reams of data that we could turn over to personnel. Usually, the employee ended up being escorted from the building shortly thereafter.

We had the tools. We knew what we were doing. We had no hesitation, because we were not violating anyone’s privacy and our job was to protect the company. All employees signed an acceptable-use policy when they were hired, and it was spelled out to them that they would be monitored. Everything was crystal clear.

In the public sector, it sometimes seems as if employees have more rights than is appropriate. They are so protected by state law that management often has its hands tied when confronted with misconduct. Most state agencies do not implement Web filtering or monitor employees’ online behavior. Exceptions exist among agencies that protect the public, like fire and police, but most state agencies seem to assume that employees are on their best behavior. It’s like “don’t ask, don’t tell” for bureaucrats.

So, what can a government entity do when suspicion arises that an employee is misusing network computing resources? In a way, we are put in the position of having to hope for the worst. If someone was suspected of doing something that is patently illegal, such as downloading child pornography, he would be open to criminal investigation. Law enforcement -- in the form of the police, the FBI or the attorney general’s office -- would have to be called in.

But what about an employee who spends work time trading on eBay, chatting via instant messaging, sending and reading personal e-mail or browsing the Internet for hours at a time? What can you do, as a public-sector supervisor, when you suspect that an employee is wasting time with such activities, when the only evidence you have is that he always quickly hides a window on his monitor when you approach? If you don’t have the right to deploy monitoring tools, all you’ve got is suspicion and no hard data to back it up. Without the proper tools, we can’t preserve the chain of evidence in a security investigation.

After laying out our dearth of options to my boss, I told him that we needed to take a close look at the policies of our own agency, of the department the agency belongs to and of the state to see how we can revise our policies to allow for insider investigations. Any revisions would have to avoid conflicts with those existing policies. Assuming we can find enough wriggle room to implement some sort of policy change that would allow us to proceed effectively when employee behavior has to be investigated, the next step would be to define the investigative process we would use. Then we would want to make sure that agency management would sign off on this new policy. Meanwhile, we could look into the technologies that are available for conducting the type of investigations that we hope to pursue.

Legal Ramifications

The technology aspect was easy enough to investigate. As a first step, I called a friend I used to work with in the private sector who handles security investigations. He explained how his current company performs investigations, and he recommended some tools, gave me copies of the forms the company uses and went over the process the company follows.

Going off in a different direction, we came across a recent court opinion (No. 05-30177) from the U.S. Court of Appeals for the Ninth Circuit. The case examined the question of whether an employee should have any expectation of privacy in using his workplace computer. This is a small excerpt from the opinion (emphasis mine):

Thus, given the nature of our constitutional inquiry, we think the California court’s reasoning is compelling. Social norms suggest that employees are not entitled to privacy in the use of workplace computers, which belong to their employers and pose significant dangers in terms of diminished productivity and even employer liability. Thus, in the ordinary case, a workplace computer simply “do[es] not provide the setting for those intimate activities that the [Fourth] Amendment is intended to shelter from government interference or surveillance.” Oliver v. United States, 466 U.S. 170, 179 (1984); see also Muick, 280 F.3d at 743 (“[T]he abuse of access to workplace computers is so common (workers being prone to use them as media of gossip, titillation, and other entertainment and distraction) that reserving a right of inspection is so far from being unreasonable that the failure to do so might well be thought irresponsible.”). Employer monitoring is largely an assumed practice, and thus we think a disseminated computer-use policy is entirely sufficient to defeat any expectation that an employee might nonetheless harbor.

Failing to monitor employee behavior “is so far from being unreasonable that the failure to do so might well be thought irresponsible”? Those words hold huge significance for us. I need to get this information into the hands of the powers that be who can effect a policy change at the state level.

Meanwhile, I am turning to Guidance Software, which produces investigative software called EnCase Enterprise. In fact, I’m giving the company a call tomorrow.

 

Made4biz Security Translating real-world security knowhow into state of the art security systems.
Made4biz Security

Turn on Sound for Demos:
Bill Gates Demo (Location-based)
Elvis Demo (Location/Context-based)
Clint Eastwood Demo (Temporal-based)

Powered by Blogger

Subscribe to
Posts [Atom]

Technorati Profile

RSS Syndication

Made4Biz Security Inc