Dealing with deviants on your network

It's a security manager's nightmare. Network logs of Internet activity at MassMutual Financial Group indicated a top executive was spending much of his time in chat rooms, where he claimed to have molested his 12-year-old daughter.

That discovery by the IT department and its security team triggered a rapid investigation with help from local law enforcement that culminated in the executive's dismissal. It also led to the unraveling of the executive's family after investigators interviewed his daughter. The investigators came away convinced he hadn't molested her but was hooked on a sick fantasy that was consuming his life.

"He was a high-level employee making a six-figure salary who had spent [hours] each day chatting online about incest," said Bruce Bonsall, MassMutual's chief information security officer, speaking at a recent conference. The incident happened more than a year ago and appeared to have gone on for at least a month, he said.

While it's hard to gauge how often corporations are forced to grapple with such issues, it's clear that perverted online behavior is a growing insider threat, especially as digital pornography gets easier to come by and popular peer-to-peer networks become rife with unsavory material. The downloading of adult pornography can trigger "hostile workplace" lawsuits. And in cases where it appears child pornography might be involved, the failure to take action can leave an organization criminally liable. Companies are resorting to assorted security products and policies to protect themselves.

"I had one client who had the FBI show up [about three months ago] at their facility because someone was downloading child pornography," says Joseph Schmitt, labor-employment attorney with Minneapolis law firm Halleland Lewis. "I said, 'Did they have a search warrant?' And they did."

Schmitt says the FBI, which had tracked the employee over the Internet, questioned the man to gather more evidence. The company fired him.

Legal matters critical

Parry Aftab, an attorney who directs the Internet online-safety group Wired Safety, says she learns about a dozen child-pornography cases in the business world each month. She has been hired to advise IT and human resources departments on how to deal with employees suspected of inappropriate Internet use or criminal activity.

According to Aftab, federal and state laws concerning adult pornography sometimes conflict, and prosecutors tend to shy away from pursuing adult-pornography cases on First Amendment grounds.

"There are no rules about workplace porn except for the rules established by the employer, such as Internet acceptable-use policies in employee handbooks," Aftab says. "However, child porn is illegal everywhere and under all circumstances." Technically, a child is considered anyone as young as 18, and in some states 16 or 17.

Upon uncovering possible network use for child pornography, companies must act immediately through a coordinated effort with their IT department, human resources group and legal counsel. To complicate matters, though, simply chatting online about child pornography or incest is probably protected by the Constitution's right to free speech, Aftab says. But it might violate the company's Internet acceptable-use policy, which every company should have and every employee should sign when hired.

There are many Internet-monitoring tools that watch employees online and block specific sites or activities. But Aftab notes that once corporations start using them, the companies take on a legal responsibility that implies they are actively using the reports they generate to stop abusive behavior.

"You've got to be sure you're reading the reports because if something goes wrong, and you're not checking them, it could lead to punitive damages," Aftab says. And the failure to warn employees that they are being monitored - whether in writing or with online Web banners - can put the organization in legal jeopardy.

"That's a valid point," Schmitt says, though he adds that companies shouldn't shy away from monitoring because of the legal concerns. "It's not an argument to bury your head in the sand."

Nabbing a 'twisted mind'

MassMutual's Bonsall, who related the online incest chat incident at a recent security conference in Orlando, shared the tale of what he called "a twisted mind" so security professionals could better understand this kind of insider threat.

The first clue about the executive's obsession was picked up by an IT auditor reviewing antivirus records, he said.

"He saw one computer was getting infected over and over, " he said. A closer look showed the source of the viruses was video files with names like teengirls.jpg, Bonsall said. Further review found "daddyanddaughter" chat and Web site visits to online arenas pandering to incest fantasy.

"We quickly went into a huddle with the lawyer and human resources," Bonsall said. It was soon determined that the executive's behavior went far beyond simply violating the company's code of online conduct, but could be indicative of criminal activity. "We had enough evidence to believe this guy's daughter was in danger," he said.

Local law enforcement was called in, and after looking at the pornography stored on the executive's computer, the decision was made to contact his family.

Although the daughter apparently was not molested, the exposure of the executive's secret online existence led to both a divorce and job termination.

"Abusive chat is growing," Bonsall warned. MassMutual now blocks online chat entirely.

Bonsall added that it's important to keep online pornography out of the workplace because it can lead to lawsuits from those finding it offensive. "You have to be able to avoid 'hostile workplace' lawsuits related to porn," he said.

Use of Internet-monitoring gateways that can block access to Web sites is a good practice, Bonsall said. But once an investigation begins, it's important to realize that litigation might follow, so a methodical approach is needed.

"We see business areas trying to launch an investigation themselves in order not to air their dirty laundry," Bonsall said. But MassMutual's security department, which includes 28 security professionals, strives to coordinate any major investigation by naming a technical lead and a manager deemed responsible for coordinating action associated with the incident.

Mark Lobel, senior manager in the security and privacy services group at PricewaterhouseCoopers, warns that network executives and their staffs should not conduct investigations on their own when they suspect unauthorized activity like pornography because laws prohibit prying into the affairs of others. Going it alone can backfire - and even result in the would-be investigators getting fired, he says.

Taking control

Belz Enterprises, a Memphis, Tenn., real estate firm, is among the organizations that have taken steps to reduce the chances of employees abusing their network privileges. The company uses Websense's Internet-monitoring appliance to block access to certain Web sites, says James Rhodes, network manager.

"We've had quite a few people trying to go to various porn sites," he says.

With an estimated 400,000 commercial Web sites dedicated to pornography, it's difficult to block access entirely. In addition, companies are finding that popular peer-to-peer networks such as Gnutella and Kazaa, which despite their legitimate uses, are a growing source for pornography distributors and potential corporate network misuse. A recent General Accounting Office (GAO) report found that peer-to-peer networks have become a huge venue for child pornography. Using a dozen keywords such as "pre-teen" on Kazaa, the GAO and the Customs Department's CyberSmuggling Center found that 42% of the 1,300 titles and file names returned in the search were associated with pornographic images of children.

Rhodes tells how a marketing director at the real estate company once put thousands of pictures of buildings and malls into a Kazaa shared directory for all the peer-to-peer world to see. Almost immediately, the corporate network was flooded with search requests. "They thought they had found a motherlode of porn," Rhodes says. "He had 85 people downloading from the server. He just didn't know better."

Belz now blocks peer-to-peer use among its 3,900 employees with the Websense appliance.

Healthcare services company Ulster-Green ARC in Kingston, N.Y., uses St. Bernard Software's iPrism appliance to monitor 800 employees' Internet use. John Knowlton, director of IT, says blocking access to pornography doesn't necessarily make the problem go away.

In spite of the iPrism blocking, which gives employees a warning flag that the site is off-limits, people keep trying. When that happens, though, the information gets generated in a report because it constitutes unacceptable Internet use.

"These records are generated on a daily basis and sent to the one who approved the Internet access to begin with," he says. Another summary statement is e-mailed biweekly to the boss of the managers who got the initial reports. That way, accountability for dealing with porn or other problems is spread up the chain of command through checks and balances. While the IT department has responsibility to monitor Internet use, the procedure makes clear that management must play a leadership role.

"You look at someone, and you wouldn't think they'd be into porn," Knowlton says. "A lot of people do these things at work because the business can afford the bandwidth for it."

Tips for dealing with network misuse
Have a corporate acceptable-use policy and make employees sign it.Try to play private eye by yourself — call in help from legal and human resources.
Consider using Internet- monitoring equipment, such as that from Palisade Systems, St. Bernard Software and Websense.Ignore suspected problems — they could put your organization in legal jeopardy.
Inform employees if they will be monitored.Neglect to use monitoring equipment if it's in place.

Learn more about this topic

Forum: Monitoring employee usage

Do you know what your employees are up to on company time?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT