This is the 132nd article in the Spotlight on IT series. If you'd be interested in writing an article on the subject of backup, security, storage, virtualization, mobile, networking, wireless, DNS, MSPs or printers for the series PM Eric to get started.
Security systems and information products are becoming more difficult to crack as developers pay more attention to security, and as a result the human element becomes the prime target for attackers. End users are the most vulnerable element in information security, as they likely lack formal training and their knowledge of security often boils down to antivirus installed by a PC vendor. Yet, the end user is also the most unavoidable element of the entire process.
Somewhere in there lies the trust between you (and effectively your employer) and the user. Face it, not everyone can be a security expert, and even training doesn't guarantee that users will follow the guidelines. You have to trust them. But what if they violate that trust? What do you do? Do you report them to the employer? How do you prove they’re at fault?
I recently ended up in a scenario like this. I was asked by my boss to provide web activity logs and spy on a user. My employer happened to walk by said user's desk and saw him browsing the web instead of doing his job.
The problem was, until recently, my company didn’t have a written policy for allowed web usage — or any IT policy for that matter. I knew that without a policy in place, any security measures were pointless, so I wrote a complete IT assets usage policy. Rather than enforcing certain restrictions, my boss granted users reasonable usage allowance, trusting they wouldn’t cross the line.
Having a policy in place, I had the power to do all that the boss asked me to. I checked the logs from the proxy server and that user’s web activity. Instantly, I knew it wasn't going to help anybody. The web has changed; it's no longer a single "index.html" file. Each page visit produces tens to sometimes over a hundred requests to the web server. For example, http:/
My boss asked me to print the user’s activity last month, and it turned out to be 23 pages. I knew that for my boss it would be enough to fire that employee, but I also knew he might be making a mistake and risking a potential lawsuit. I explained to him that what he had on paper wasn't conclusive at all and that the entire activity could be generated in probably 2 or 3 hours. I had to get hard proof that the user was violating company policy.
I started with keyloggers, but none of them could be easily deployed silently. They required antivirus exclusions and open ports in the firewall. Some would crash if not running with local administrator privileges, and some wouldn’t run at all if not launched locally. So basically, I would have to ask the user to set the keylogger so I could spy on him. Brilliant...
I had a previous experience with keyloggers from my college days, so I knew it was possible, but I was running against the clock and decided to search for different solutions. I knew I had to get either complete keystroke activity or screenshots from the user’s desktop. That’s when I ran across Boztek VNCScan, a tool to remotely manage desktops that happens to allow remote screen capture. Bingo!
I started collecting screenshots, and the following day I had clear proof of what the user was doing. To my surprise, he knew about privacy mode in Firefox, so it was obvious he was trying to cover his tracks. Here are some most popular ways for users to try to bypass security measures:
- Privacy mode in browsers
- Anonymous proxy, such as ninjacloak.com
- VPN or SSH tunnels
The screenshots were all the evidence my boss was looking for, and the user lost his job shortly after that.
To summarize, what do you do when someone violates the trust relationship and you are asked to spy them?
- CYA. I cannot stress this enough: Have a written policy in place that covers monitoring and users should not expect any privacy while using the company's assets. Then, run it through your HR department and then through your lawyers. Or better yet, have your lawyers write it. In my case, we gave the users some freedom with web usage, but we explicitly stated all activity is monitored and what's allowed and what's not. Without the policy, you may be setting yourself up for a lawsuit, and that’s never a pleasant experience.
- Start with web activity reports, but don't trust the results. They will most likely be inaccurate, and provide false information that can sink a completely innocent user unless you own a system that can filter through all the requests and just report the single destination URL. These types of report tools cannot report time spent on web pages; the only thing that can be logged is time spent downloading web resources. I use pfSense with Squid proxy, Squidguard, and Lightsquid reporting tool. Lightsquid can also show real-time activity, but it's not really practical unless you have time to sit and watch it for hours. Another reporting tool available for pfSense is SARG. Other popular firewall/proxy systems are Untangle and Smoothwall. You are also free to build one yourself on top of favorite Linux or BSD flavor. Note: This is ineffective against proxy servers and tunnels. While you can block anonymous proxy servers, tunnels present bigger problems.
- Log keystrokes or capture screenshots. Like I said before, web activity reports are not conclusive, may be inaccurate and may not produce reliable results. Keylogging software often has the capability to take screenshots, and this is what you ultimately want. You also have to be extremely careful when using any type of keylogger — whether it's software or hardware — as storing sensitive information, such as user's private email, banking or medical login details, could get you in trouble even if you have a policy to cover that. I’m not a lawyer and laws vary from country to country and state to state, so please consult an experienced attorney before using keyloggers. That's why I opted for screenshots, as it's impossible in most cases to obtain a user’s passwords that way. It was also the only way to keep tabs on users that managed to set up VPN or SSH tunnels to bypass proxy.
- Install a high-resolution surveillance camera :) This is rather extreme and may be too obvious, but if none of the above are possible for whatever reason, this could be your only option. Just make sure you position it correctly so it doesn't record users’ backs instead of the screen. Once in place, this will make users think twice next time they want to do something unethical or stupid. I’ll be installing a camera shortly to monitor one of our copiers.
Bruce Schneier said, "Security is not a product, it's a process." Security is not just a technology problem, it's people's problem. Security is one of the topics IT has to pay special attention to everyday, and it's a constantly changing challenge.
What problems have you encountered with users abusing Internet access? How have you monitored this, and how do you enforce your policies?