Firewall Wizards mailing list archives
Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem )
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 26 Aug 2002 09:09:57 -0400 (EDT)
On Sun, 25 Aug 2002, Dave Piscitello wrote:
>That's when positive >authentication is necessary. One needs to know its positively Jane Doe that >went to the porn site (which is against policy) or it was someone who sat >down at her authenticated workstation when she walked away without logging >off (which is against policy) before disciplinary actions are initiated. You'll need non-repudiable authentication (evidence), as a court of law would describe.
I think this is a myth that we've been conditioned to believe. It's certainly possible to present evidence of wrongdoing that *isn't* no-repudiable. In an administrative case (firing someone) the evidence really just needs to be compelling. In a civil case, the bar isn't all that much higher, and in a criminal one, supporting evidence works all the time. Motive and correlating other evidence works just fine. Courts of law very rarely get non-repudable evidence, and only in the last 10 years or so has it been possible to do things like DNA testing and have it admissable without the same sorts of confusing defenses that we're seeing in computer crime.
How would you propose to verify Jim was at Jane's workstation at the time of the porn site visit? In addition to "strong authentication" as we define it today, do you propose cameras? Keyloggers that distinguish typing behavior?
If Jim authenticated to the porn site and there was a lawsuit involved, we'd get a subpoena for the porn site and find out who's credit card was used to get that ID, and also who's home computer was found to be using that account (indeed, if I had to defend from such a suit, I'd subpoena the home PC and spend all the EnCase time I could on it generating both corroboration and subpoena fodder.) We'd also look at phone switch logs to see if Jim called home from Jane's phone, or answered Jane's phone while at her desk. We could certainly correlate Jim's days in the office with the activity, and delta that from Jane's activity. We could also start to match Jim's unanswered calls with the time periods in question, access-card logs, meeting attendance of both Jim and Jane... However, porn sites really are the easy case- the pattern of abuse is normally ongoing, so you just need to log and alert on logging and it's trivial to either put hidden video surveilance on Jane's PC or walk over and catch Jim "in the act.[1]"
Something that's annoyed me for ages is the distinction that policy violations conducted through computing and networking are so different from any other medium. If an employee uses his phone card to dial a phone sex number during work hours, from a business phone, is it as serious an offense (granted, there's no temporary or long term cache of the "image" unless he's taped the conversation). What about print media and fax (although I've never heard of fax sex?)
Not quite as serious because unless the employee is saying offensive things, there's not the same "walk by" factor. Also, I think implicitly illegal phone sex is probably pretty difficult to make. However, in the US it's perfectly legitimate for a company to monitor its phone system for content- so catching is again a relatively easy matter.
Content inspection is an odd business, and it seems perpetually focused on computer networking. My point is that I've seen some policies that don't uniformly treat all media - it's acceptable to have a sexy calendar, but not to visit Victoria's Secret online, or thumb through PlayBoy during lunch? I've told folks that such policies are an HR nightmare waiting to happen.
Calenders are the things that have set caselaw up to now, so that's obviously a problem. However, computers should have different acceptable use policies, you don't have things like ECPA to contend with when you track calender hanging.
I wrote a paper a while ago on this subject, but I think it's still accurate and hopefully relevant http://www.tisc2002.com/newsletters/211.html
As a note, I know quite a few companies who block 900 numbers (pay-per-call lines in the US) and allow specifically for "limited personal use that doesn't infringe upon the business," so indeed PBX management isn't all that different other than the level of detail (and most of those places print call detail logs and have employees and their supervisors review and sign them.) Paul [1] I've been involved in both types of incident, and both are effective. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ), (continued)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 22)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Adam Shostack (Aug 23)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 23)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Dave Piscitello (Aug 25)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 26)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Paul D. Robertson (Aug 26)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 26)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Paul Robertson (Aug 26)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) R. DuFresne (Aug 26)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 22)
- Message not available
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Dave Piscitello (Aug 26)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Paul D. Robertson (Aug 26)
- Re: RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) R. DuFresne (Aug 25)
- Re: Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) B. Scott Harroff (Aug 22)