Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
If you don't monitor your workers, how can you provide adequate feedback on their job performance? You cannot. There has never been a question about whether or not to monitor workers in some way, whether it be based on net output, attitude, or the hours they are at work, monitoring is fundamental to performance evaluation. The question has been and remains, how much of what to monitor and for what purposes.
There are three basic reasons for worker monitoring. (1) To measure their job performance, (2) to limit legal liability and detect, track down, and stop illegal activities, and (3) to measure and improve system and network performance and debug network problems.
There are, of course, a large number of different places that monitoring can be done. In fact, almost any location within a system or network can be valuable in monitoring something or another. The most common monitoring points are (1) a keyboard, (2) a disk, (3) a network interface, (4) a network infrastructure point such as a firewall, gateway, router, or switch, (5) a telephone, (6) a wire closet, (7) a telephone switch, (8) a trunk line, and (9) an entry or exit location. Each of these locations apply to different sorts of monitoring for different purposes.
The table below may be helpful in figuring out what kind of monitoring works best where:
Location | worker performance | legal/security purposes | system performance |
---|---|---|---|
keyboard | no | yes | no |
application | yes | yes | no |
interface | no | yes | yes |
infrastructure | yes | yes | yes |
telephone | yes | yes | no |
closet | no | yes | no |
switch | no | yes | yes |
trunk | no | yes | yes |
entry/exit | yes | yes | yes |
Keyboard monitoring is generally done by a small program inserted into the operating environment at the driver level. This intercepts all keyboard input (depression and release of each key) and records it along with a time stamp. IT can then be replayed as desired. It is also possible to record keyboard input by placing a device between the normal keyboard port and the keyboard connector or placing an interception capability in the keyboard itself.
Application monitoring is generally done by the software components of the application, by the server in a client/server architecture, or by the operating system through the use of audit trails. This type of monitoring is generally tailored to the application or the operating environment, however, some standard audit information is retained by most operating systems. In addition, items like file date and time stamps and other similar operating environment monitoring information is standard in almost every operating environment and is necessary in order for most current systems to function properly.
Interface monitoring takes place at interface points between user systems and infrastructure systems. Typical monitoring includes TCP packet observation and serial port monitoring. These can be done by hardware, software, or combinations of both.
Infrastructure monitoring is used in cases where large numbers of systems are being observed relative to their network behavior. A typical example is the use of special systems to detect the downloading of pornographic material from the Internet or the use of a special purpose system to detect release of trade secrets over connections between business partners.
Telephone monitoring typically involves the placement of a hardware device within a telephone. These are the 'bugging' devices you see placed in handsets on television shows. In the case of web-based telephony, this is done either at the hardware or software level in the computer being used for the telephone calls.
Closet monitoring involves the placement of monitoring devices in the wire closets and other similar locations where wiring is placed for communication between rooms, floors, and buildings. Most buildings have wire closets located throughout the facility. They are used to add, remove, or repair telecommunications connections between equipment placed throughout the facility. Hardware devices are commonly placed in or near wire closets for monitoring purposes.
Switch based monitoring applies primarily to line or packet switched networks in which there are switching devices used to route information from place to place. Telephone switches, for example, commonly have provisions for remote monitoring of telephone microphones, for monitoring of calls in progress, and for recording such calls. The same sort of mechanisms are often available in computer switching devices.
Trunk lines are commonly used for high volume inter-site communications and as such are sometimes used for monitoring communications between sites. They tend to be encoded for efficient use of bandwidth and relatively high speed, so specialized equipment may be required for this sort of monitoring.
Entry and exit points are commonly monitored for various purposes, including but not limited to firearms, explosives, backup tapes, computer hardware, cell phones, drugs, and a wide variety of other 'contraband'. Similarly, other facility locations may be monitored for a wide range of purposes, including limiting liability.
Naturally, for legal and security purposes, monitoring can be done anywhere it can have other uses, but the monitoring used for system performance is almost never the same as that used for worker performance.
Knowing what you might want to do is not the same as knowing what you really can and cannot do. Usually, the limits of monitoring come about as a result of time and space issues in the monitoring technology.
The space and time issues are limits brought about in high volume situations. The reason they are issues is because the available storage space and analytical capability is often more limited than the available data to be monitored and analyzed. To give you a sense of this, consider the disk requirements for monitoring a typical 100Mbps LAN cable. At 100 million bits per second, that's about 10 million bytes per second, or a gigabyte every 100 seconds. So a 20 gigabyte hard disk will get filled in under an hour if you try to monitor all of this traffic at full bandwidth. The is clearly not a viable option for most circumstances. On the other hand, a really fast typist can type at a rate of about 150 words per minute, or under 1,000 characters per minute. At 60 minutes per hour, 24 hours per day, that comes to one floppy disk of data per day (about 1.44 M). A 20 gigabyte disk can hold about 15 million days of typing at this rate. So if we choose to monitor keystrokes, disk space is almost never an issue.
Time for analysis is also at issue. Simple analysis, like counting the number of characters typed or the number of letters printed, is simple to do, but not very effective in most cases. The effectiveness of monitoring is generally determine by the application. A good example of long analysis times is the analysis of web traffic to generate profile information on individuals who view web pages to determine whether the web pages they visit are work related. Examining all of the user activities for content takes a lot of processing power, particularly as the volume of traffic goes up, and particularly if observations are done from the infrastructure rather than at the desktop.
Monitoring worker performance is generally most effective when a clearly identified performance goal is easily measured. For example, orders processed per hour, order amount, and customer acceptance might be easily measured properties of semi-automatic order processing systems. But monitoring an engineer in terms of number of boards designed may be a poor performance measurement and hard to capture and analyze.
Most of my experience in worker monitoring has been from the system performance and legal perspectives, and in my experience, each monitoring activity involves customization based on the specifics of what is being sought. In the case of system performance monitoring, instrumentation is generally done at the disk level for applications and at the network level for network traffic. Placement of sensors is not much of a problem in this context because the people who work in the environment are generally supportive of better performance.
When it comes to monitoring for legal or security purposes, the situation changes fairly dramatically.
The first thing that changes is the location at which you are able to place monitoring capabilities. While for normal business purposes, monitoring can be placed almost anywhere, for security, you are often faced with monitoring the people who run the equipment you are monitoring. As a result, you often need to be covert. Covert monitoring is far more difficult than overt monitoring and it is therefore often done in locations that would not be used for overt monitoring.
The second thing that changes is the things that you can monitor and how you must use them. In overt monitoring, you can often alter the operation of the systems under surveillance to cause just the right information to be provided. In covert monitoring, you are often forced to place physically small monitors in remote locations and covertly control them. You are often forced to observe large volumes of traffic in search of very small pieces of useful information, and often this information is coded in a form that makes it difficult to find and analyze.
While these changes may seem simple, in fact, they drive covert monitoring technologies into areas that overt monitoring would never pursue because they are far too space and time intensive or overly complex. They are only used because of lack of choice.
Just because you can, doesn't mean you should are legally allowed to, or that you should do it. I will more or less ignore the moral and ethical issues in this article, but suffice it to say that looking at other peoples' information out of curiosity is not what I would consider to be reasonable or prudent. The only real basis for examining information is that it meets some goal that is sufficiently important to justify the invasion of privacy implied by it, and in those cases, it seems to me that looking at anything beyond what is necessary to get the job done is over the bounds of fair and reasonable. Of course the legal standard may be quite different from that.
I am not a lawyer, and anything I say here should not be construed as legal advice. Having said that, there are two basic kinds of legal searches of information, and of course this varies dramatically based on jurisdiction. Type 1 is a search based on permission of the owner. Type 2 is a search based on some legal warrant.
Permission searches are based on getting permission to do the search. Normally, permission would have to come from the owner of the information. In most corporations, the corporation owns all of the information within its information systems, with a few exceptions (e.g., information owned by others but kept within their information systems and information passing through their systems based on being a common carrier). This notion of ownership aside, it is necessary in most jurisdictions that notice be served on people using systems identifying that their use of those systems implies permission to store, examine, and analyze for any and all purposes, at any and all times, and at the sole discretion of the 'owner'. In this case, employment contracts usually require this as a condition of employment. In the case of information owned by others, civil contracts and, in some cases, laws of the state overrule these ownership notions. Similarly, in the case of common carriers, content is not owned, but merely passed through, and there is no right to examine or search by permission of the owner of the common carrier equipment and facilities. There is an exception for normal business records purposes and for assuring proper operation and continuity of service, but this does not pass on to others or to other purposes. There are also laws in many jurisdictions against intercepting transmissions that are inter-jurisdictional, including laws against wire tapping, and so forth, all of which normally apply to the Internet and computer networks just as they do to telephony.
Warrant searches are generally obtained by getting authority from competent authority to perform searches. In many jurisdictions, these searches are very limited in the sense that they are allowed only for the purpose identified in the warrant and collection and analysis must be restricted to the point feasible so as to only collect and search for things that are warranted to be searched for. In this case, things you 'find along the way' don't count, and you are supposed to try hard not to find them. If you are looking for child pornography and for technical reasons must examine each image along the way by visual inspection, and if you happen across evidence of some other crime along the way, depending on the specifics, you may be able to continue to investigate this crime, or at least secure the data pending a warrant for this additional material. But if you are searching financial records in a database and happen to look through images for no good reason and stumble across evidence of another crime, you are likely to have gone beyond the reasonable restrictions of the warrant.
For somebody who is not a lawyer, I seem to run into a lot of legal stuff along the way. It's mostly to keep myself from getting into legal trouble in my work. In the case of most of my readers, you can ask your local legal eagle about these issues, and you should do so in the process of forming your policies and contracts with employees.
One last note here. In today's business, acquisitions and other corporate activities tend to make things like proper policy and notice hard to do and likely to be out of compliance. If I were you, I would be real careful to make sure that the monitoring policy you have in place is all it should be. Otherwise, you may go to jail for doing illegal wiretaps, be sued for violation of privacy and lack of notice, or worse yet, miss having all of those wonderful conversations with your lawyers, who are lonely all day because nobody wants to talk to them.
The other major use of monitoring for legal purposes is to mitigate liability. Many folks now a days maintain that if you do not monitor worker and system activity, you are not meeting the standards of due care required for a modern business. For example, not monitoring a dark parking lot at night for criminal behavior may subject you to a law suit if an employee get assaulted. Similarly, failure to monitor networks for pornographic traffic may be used against the employer in a sexual harassment suit, and failure to monitor for security breeches in computer systems may be grounds for a shareholder suit. Similarly, allowing employees to release trade secrets or other confidential information subjects the employer to legal liability because the employer is generally responsible for the actions of employees when they are working (and often during breaks from work as well). Monitoring is often the only available means to detect and counteract these activities.
Worker monitoring is not only feasible and reasonable, it is essential for any substantial business and fundamental to the evaluation of employee performance.
The technologies involved in monitoring cover a wide spectrum, and there are substantial technical issues involving such things as resource requirements, covert and overt actions, and placement, remote control, and operation of monitoring devices.
The extent to which monitoring becomes invasive of privacy is a core issue to be addressed, and it is generally addressed through a combination of corporate policy, notice, employment and similar contracts, and prudence in the monitoring process.
About The Author:
Fred Cohen is exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection, and a practitioner in residence in the University of New Haven's Forensic Sciences Program, where he educates cybercops on digital forensics. He can be reached by sending email to fred at all.net or visiting /