Security Basics mailing list archives
RE: Internet E-mail monitoring/approval
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Wed, 16 Apr 2003 12:19:27 -0400
I'm not trying to argue the point about monitoring people (there seems to be confusion here) but I was trying to answer the question about why a scope is necessary. There is a differnece between monitoring and investigating IMHO. I'm sorry if I did not make this clear yesterday. Monitor=broad review of activity focusing on a general population -looks for anomolies in normal behavior patterns. Investigate= to make a detailed inquiry into individual(s) based on a cause, request or other monitoring activities- shift in focus from a general population to specific individual(s). I understand your point and I agree that you can look at anyone you want to (with the proper warnings, banners, policies, blah blah blah) and in fact I have but WITH Cause when it changes from MONITOR to INVESTIGATE. During my investigations, and all investigations, there must be a scope to keep you and your company from getting sued. I've seen it happen. I have the right to monitor surfing, pinging, port scans, access- basically any activity on my network. Absolutely. And once there is a violation I initiate an investigation and define my scope. That was your point in your response. You asked what scope had to be defined. The scope needs to be defined at the point where you go from monitor to investigate. Scopes can be altered at any time of course (just document it). One example I gave yesterday was with Surfing. I can monitor that person for that and investigate them but I should stay within scope and not going on a fishing expedition without proper approvals and documented scope changes. If I want to broaden scope, I document it and get approval to CYA. Another example is monitoring my logs for audit policy changes. I'm looking for a general thing but with no specfic person in mind when I start. If I notice that someone is changing my audit policies, I initiate an investigation (major or minor) and define a scope, "I am looking for all audit ploicy changes that Mike Jones has made" or "I am looking for activity that exceeds Mike Jones' authority, including but not limited to audit policy changes". Notice I have gone from broad monitoring of all users to focusing on an individual which then becomes an investigation. I am also not arguing the fact that I have more rights within my network than LE. Of course I do. What they need a subpoena to acquire legally, I do not. Meaning, I can legally acquire anything within my sysem. No dispute there. This acquisition does not mean that my stuff is inadmissable by any means. But what I strive for is to do the acquisition and analysis forensically to prove that these are the original files, documents, logs, etc. I follow a forensic process to ensure that anything I retrieve and analyze will be accepted as irrefutable evidence. As an investigator I must assume that everything may go to court whether I initiate the court action or someone else does (i.e. terminated employee). My personal opinon- I have the right to monitor and I have the right to investigate and with that power comes a responsibility and something called ethics. I think the companies that I have worked for and consulted for were concerned with everyone's rights and doing investigations properly. I hope that they are the norm and not the exception. Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 -----Original Message----- From: dave [mailto:iislists () netmedic net] Sent: Tuesday, April 15, 2003 11:08 PM To: Robinson, Sonja; 'dave'; 'John Gormly'; 'security basics' Subject: RE: Internet E-mail monitoring/approval Sonja, I do not think you get my point. My point is you can spy on anyone you want. For instance I could start a "PI" investigation of my own on my neighbors. Video tapes, follow them to public places etc.. There is no law preventing me from doing this. As long as I do not break any laws I am OK. Whether or not anything I learn in the course of this is admissible in court is another story. Dave _____________________ Dave Kleiman dave () netmedic net www.netmedic.net -----Original Message----- From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] Sent: Tuesday, April 15, 2003 09:51 To: 'dave'; 'John Gormly'; 'security basics' Subject: RE: Internet E-mail monitoring/approval ** This is not meant to be a rant just trying to bring up issues that you will encounter.** Just because it is called an investigaton doesn't mean LEO is necessarily involved. [snip]You can do many things that may not be admissible in court as evidence in a criminal case.[snip] Doesn't matter, criminal and civil courts. By "SCOPE" you have to define what you are looking for when you focus on a particular person. For example, my proxy logs are telling me that John Smith is visiting P_O_R_N sites. I can review his machine for pictures and other similar items (i.e. the investigation scope) but this doesn't necessarily give me the right to read his e-mail or to look at all the documents on his machine for other things he "might have" done. Just because you are not LEO does not mean you can break the law or violate any privacy rights. Let's say that you fire an employee because he violated company policy, say they visited P_O_R_N sites (for those who made bounce comments yesterday). It's not illegal for him to do but it violated your policy. Don't you think that your evidence needs to stand up in a civil court when that guy sues you for wrongful termination? How do you prove that stuff was from his machine, that he downloaded/viewed it? What if it was just a rogue program that opened up a hundred of these sites on his machine and he didn't actively do it? What if a note goes in his personnel file and he is sanctioned (passed over for raise or promotion). Did you save the files or did you save the whole drive? How? How do you know it wasn't someone else on his machine? Did you document the findings? Who performed the analysis? Was a hash done of the drive or files? How do you know the access dates are correct? How do you know your logs weren't altered? Is your evidence tainted? No? Prove it! Any good attorney would tear you to bits in court. Plus he'd bring in a forensic expert who would analyze the data himself and blow some major holes in your case just by proving that you can't prove that the data is original and correct. With juries these days, I'm not taking any chances of costing my company $1Million because I didn't do it right. What if you were looking for one thing (i.e. P_O_R_N) and found that the guy was leaking trade secrets instead? Now you need to change your scope. I'm not saying you need subpoenas, I'm saying you consult your corp attorney and HR, let them know the deal and document the scope change. If you go on a fishing expedition, you can be held liable. As long as you are not acting as an agent for LEO you have a much wider lattitude for your investigatons. Once you bring in LEO you are considered their agent and must act accordingly. This is why I do most investigations prior to bringing them in. For example, where they may be required to get a subpoena for information, I am not. However, this doesn't mean that I can just do surveillance without just cause. Nor would I want to. I do believe that there is some expectation to privacy (like my locked desk). I also believe that if there is cause I will investigate. But I follow certain WRITTEN & APPROVED procedures and policies to do so to protect me, my company and whoever is being investigated. You don't want to get into a witch hunt either. There are times when I won't perform an investigation and I have refused to become involved, i.e. manager wants to fire someon because they don't like them so they want to look at the entire hard drive to see if they can find cause. Or someone is on vacation and their boss wants to snoop. Another reason for defining scope- besides covering your rear and staying within legal parameters - massive amounts of data on huge hard drives. Looking at every bit in an 80GB will take you years. If you know what you are looking for, then you can eliminate things you don't need and narrow down your search to the correct machine, logs, documents, etc. "Just because I CAN do something, doesn't mean I SHOULD." Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 -----Original Message----- From: dave [mailto:dave () netmedic net] Sent: Monday, April 14, 2003 10:13 PM To: Robinson, Sonja; 'John Gormly'; 'security basics' Subject: RE: Internet E-mail monitoring/approval Sonja, I believe what you were saying is true, if you were a Law Enforcement Officer performing an Investigation. What "SCOPE" do you have to define?? You can do many things that may not be admissible in court as evidence in a criminal case. Dave _____________________ Dave Kleiman dave () netmedic net www.netmedic.net -----Original Message----- From: Robinson, Sonja [mailto:SRobinson () HIPUSA com] Sent: Monday, April 14, 2003 10:20 To: 'John Gormly'; 'security basics' Subject: RE: Internet E-mail monitoring/approval Each of you is right to an extent. Yes, there are some privacy issues with e-mail. This is touchy area. Bt yes you can monitor it. Yes, you SHOULD (MUST) have privacy (or lack thereof) policies, monitoring policies and investigation policies. Would I allow the manager to read all of the e-mail? Absolutely not! You can set yourself up for a lawsuit because you are performing an investigation that has NO DEFINED SCOPE and is being performed by a person who is not properly trained or qualified to do so. Not to mention monitoring and investigations should be done by someone objective. A manager is not. You can not just arbitrarily focus on one person without just cause. Let me explain this. I can monitor ALL users for web surfing and when a flag goes up for unauthorized sites, I can take action. But I was not focused on ONE user the entire time. Something caught my eye. I can have all e-mail go through a filter and if it picks up something I can investigate that. I can't just read Jane Doe's e-mail all day just because I can. Now, let's say the previously mentioned triggers or a very good suspicion about employee activity is the case (as in this case it most likely is). Well, now you go into investigation mode. This includes notifying your legal and hr dept that you are doing an investigation and you help them edfine the scope (especially legal). What items are being leaked? To Whom? Why do you think so? Based on these as well as other questions, you define your scope and perform the investigation. The investigator should (ideally) be a trained and properly qualified forensic expert. Why forensics, so that the investigation will be performed following applicable laws and that everything collected is OBJECTIVE and can be presented in court if it goes to that. In addition, a manager might not save e-mails properly (among other things), may accidentally accuse without having properly conducting the investigation and interpreting results. This could damage an employee's reputation and then you have a lawsuit there when they quit due to hostile environment (seen it happen). IF you fire an employee based on things in e-mail you just might find yourself in a lawsuit (especially if its not what you were looking for originally). IF you go outside of the scope of the investigation without redefining scope with legal approval then you're in some potential trouble. Don't get me wrong, I investigate e-mail and Internet logs all the time. I just do it legally and with the proper approvals, scope etc. I watch out for everyone's rights, employee and employer. Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 -----Original Message----- From: John Gormly [mailto:jgormlyjr () yahoo com] Sent: Saturday, April 12, 2003 8:05 AM To: 'security basics' Subject: RE: Internet E-mail monitoring/approval I would agree. Also check with Human Resources of the company. Our employees sign an agreement before being issued a computer stating that the computer is the property of the company and is for company use only. All activity (internet browsing, email access, etc., ) while using company equipment is subject to monitoring. We've never had a problem monitoring email or internet access when we've needed to. -----Original Message----- From: Ben Schorr [mailto:bms () hawaiilawyer com] Sent: Thursday, April 10, 2003 7:55 PM To: security basics
My 2 cents ... 1. The basics of Law, Ethics and Investigation says, Never do anything that is unknown to user. Monitoring email activity without user knowledge is illegal and your company can be sued for billions of dollars.
Actually that's not necessarily true. It depends largely upon what your employee handbook and privacy agreements say. If they explicitly state that the e-mail system is company property and may be subject to monitoring then...it might not be illegal. It's assumed, in many cases, that if the employee has been notified that their e-mail is company property and may be monitored that any monitoring that may occur, even months later, is not without their knowledge. Best for Ted to consult with an attorney licensed to practice employment law in his state. Assuming he's in the USA. -Ben- Ben M. Schorr, MVP-Outlook, CNA, MCPx3 Director of Information Services Damon Key Leong Kupchak Hastert http://www.hawaiilawyer.com ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ------------------------------------------------------------------- ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ------------------------------------------------------------------- ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ------------------------------------------------------------------- ------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. www.blackhat.com ------------------------------------------------------------------- --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-security-basics ----------------------------------------------------------------------------
Current thread:
- RE: Internet E-mail monitoring/approval, (continued)
- RE: Internet E-mail monitoring/approval Ben Schorr (Apr 11)
- RE: Internet E-mail monitoring/approval John Gormly (Apr 12)
- RE: Internet E-mail monitoring/approval Gregory Kane (Apr 11)
- RE: Internet E-mail monitoring/approval Bruce Fowler (Apr 11)
- RE: Internet E-mail monitoring/approval Shanna Daly (Apr 11)
- RE: Internet E-mail monitoring/approval Robinson, Sonja (Apr 14)
- RE: Internet E-mail monitoring/approval dave (Apr 15)
- RE: Internet E-mail monitoring/approval Robinson, Sonja (Apr 15)
- RE: Internet E-mail monitoring/approval dave (Apr 17)
- RE: Internet E-mail monitoring/approval ONEILL David J (Apr 15)
- RE: Internet E-mail monitoring/approval Robinson, Sonja (Apr 17)
- RE: Internet E-mail monitoring/approval Ben Schorr (Apr 11)