Companies target the enemy within

It's not as if the U.S. Department of Veterans Affairs isn't aware that the biggest security threat comes from people inside your organization. After all, the agency employs about 600 information security officers, whose chores include overseeing a system of Internet access filters designed to prevent employees from downloading unacceptable content.

But what did catch the agency somewhat by surprise was finding out one of those security officers had placed himself outside the filtering system so he could abuse his network privileges. "When we confronted him, based on a tip, he resigned on the spot," says Rob Pate, team leader for the VA's Central Incident Response Capability.

The key to snagging the wayward employee was having monitoring systems in place that look at internal and external intruders, Pate says. "Anyone who works at the VA can expect this monitoring," he says.

The same is true for a growing number of employees, as organizations roll out increasingly sophisticated monitoring technology and get a better understanding of the complicated laws governing the oversight of employees.

It's easy to see why organizations are taking such steps. According to the Computer Security Institute, a poll of 503 security managers in U.S. commercial and government organizations found that 78% have experienced trouble over the past year with insiders abusing network privileges by downloading porn or pirated software - activities that pose grave liabilities to organizations. The poll also found that 38% of those surveyed said insiders were constantly trying to hack the company network.

APL, which operates a $4 billion ocean-freight business with 12,000 employees in 80 countries, recently cracked an alleged internal fraud ring, thanks in large part to the company's IT security division.

When suspicions arose about a year ago that a handful of employees in Jakarta, Indonesia, were attempting to siphon off millions of dollars in business from the company, the security division quickly installed a network-monitoring tool called SilentRunner, developed by Raytheon.

The tool, which monitors the content in files sent by employees and their network use; flags suspicious activity, such as unusual FTP transfers; and even duplicates the content of transmissions. It helped APL crack the internal fraud ring by providing evidence of wrongful behavior that could be used overseas in the prosecution of the alleged crime ring, says Van Nguyen, director of global IT security.

SilentRunner is just one tool in Nguyen's arsenal to guard against employee malfeasance. He also uses Guidance Software's EnCase software to collect the contents of hard drives for forensics purposes; Internet Security Systems' intrusion-detection systems to monitor employees; and Recourse Technologies' ManTrap honeypot to find out which employees might be trying to hack into information to which they are not entitled.

"They're attempting to up their privileges, or share files like movies that may be pirated," says Nguyen of the range of inappropriate behavior he observes. "There's a liability issue."

Law and order

Of course, monitoring employees electronically carries legal implications. Experts say gaining employee consent is a key factor in ensuring that monitoring and data collection is carried out legally.

"We have each of our 2,000 employees sign a policy that says we can monitor them," says Ernest Parker, senior network specialist at TruServ Corp., parent company of TrueValue hardware stores.

TruServ uses the St. Bernard iPrism Web-filtering appliance to block employee access to forbidden sites and collect information on Internet use, which is transmitted to a server-based reporting tool from NetIQ called WebTrends to analyze the data and generate reports for management.

Richard Salgado, a prosecutor at the U.S. Department of Justice computer crimes division, said during a recent SANS Institute online conference that, "Any interception in real time is forbidden by the law, but thankfully, there are many exceptions to this statute."

The Wiretap Act and the Pen Register Trap and Trace Statute are U.S. laws governing real-time interception for network operators, such as an employer.

The exceptions spelled out in these laws allow employers as network operators to intercept real-time communications if the purpose is to protect the rights and property of the owner - or if the parties have consented to allow interception. Employee consent can be obtained through a Web page banner or in a written policy given to employees that makes clear working for the company includes possible monitoring.

"This is what allows us to deploy intrusion-detection systems," Salgado said.

The Electronic Communications Privacy Act (ECPA), the law that pertains to monitoring and collection of e-mail and documents stored on employee computers, is a "complicated statute," Salgado said. The law implies employee consent as well.

Salgado said there's not much case law to define limits to employer snooping, but in general there's the expectation that monitoring and data collection is intended to thwart harmful actions against the organization.

Some companies find their business might be governed by specific rules, such as the International Traffic in Arms Regulations (ITAR). They monitor employee action to ensure compliance.

Satellite services provider Intelsat has to monitor in-bound and outbound e-mail and phone traffic because of the sensitive nature of its business, which falls under the ITAR rules.

These rules require that any individual at Intelsat with satellite operation responsibilities, including engineers and management, must check an online database every time a contact with someone outside the organization is made.

That database, provided by the U.S. government, is replicated every day afresh.

It contains a list of "forbidden persons," according to Bob Connors, security auditor at Intelsat in Washington, D.C. "We have to be very careful with whom we communicate," he says.

RELATED LINKS