The Sydney Morning Herald recently published an article about IT snooping people’s emails (http://www.smh.com.au/it-pro/business-it/email-snooping-it-admins-like-dracula-in-charge-of-the-blood-bank-20120413-1wxnu.html). Whilst I found this to be an interesting article, I don’t think they went far enough on the subject matter so I decided to expand on it a bit. I also think that the article was sponsored by Earthwave in order to sign people up to their services…:)

The focus on this article is thus Cyber-Surveillance.The immediate take away is don’t do anything on your work PCs that you consider personal or confidential.

When you started a job in almost any Australian workplace, you will almost certainly have signed some form of surveillance agreement which provides your employer the right to observe and audit your computer usage. This has been a requirement since Australia introduced some of the world’s most stringent privacy laws around 15 years ago. You will have signed the form because otherwise you wouldn’t have your job. That essentially means that you have granted your employer the rights to completely unrestricted surveillance of everything you do on their equipment. Everything. Every last thing.

Most people think that company surveillance is there to stop people from downloading Porn or copyrighted material but it goes much further than that. The main thing your employer is trying to prevent is “Data Leakage”. Data leakage refers to company data being transmitted away from the company without authorisation. This may include:

• Emailing out company secrets
• Copying company data on to removable media (USB drives, DVDs, etc.)
• Transferring company data over The Internet
• Installing unauthorised logging or surveillance software on one or more PCs

In order to this, they will monitor everything done on company equipment and there is nothing you can do that they can’t see. The following are the techniques that companies can (and probably will) use to to protect themselves from litigation or data loss:

• End User Admission/Access Control
• Proxy Log monitoring/reviewing
• Random Email checks/keyword checks
• Data Leak Protection
• Direct Access
• SSL Offload and Rewrite
• Data Mining

Before I continue, I want to make it perfectly clear that I don’t think Australian employers are out to spy on their staff. Data leakage is a real problem for some companies; it’s not uncommon for someone trying to download the entire customer base and history before moving on to a competing company; and trade secrets are even more valuable. Browsing porn is not only wrong, it also opens up a company to sexual harassment lawsuits if someone else sees it and objects (that happened right at the start of my career and it cost a senior executive at one of Australia’s largest insurance companies his job, because he didn’t think the rules applied to him and liked his girly background). Finally, companies can be liable for illegal content being downloaded over their links or on to their equipment.

Let’s cover some of the different techniques that organisations use.

End User Admission/Access Control

EUA software is what has replaced traditional antivirus and is there to ensure that other techniques remain effective. Most security vendors offer software that allows the employer to ensure that staff don’t modify their PCs in any way. They introduce Antivirus, Firewall, Content Filtering and Data Leak Prevention (DLP) to the local PC. With correct configuration, the network will refuse the device access (or quarantine it) if the device’s EUA software is not up to date. EUA is more of a passive defense to ensure that other techniques remain effective.

Proxy Log monitoring/reviewing

In most organisations, absolutely all Internet activity is tracked and logged. Nothing you do on The Internet is secret and if you do something wrong, you will likely be caught. Logs are used with Data Mining techniques to discover patterns and wrong-doing.

Random Email checks/keyword checks

If you read the link at the top, you will know that IT has access to your Emails, beyond that – since the release of Microsoft Exchange 2010 – your team leader can be given the easy ability to search through all his team member’s emails. Nothing in Email is private, never ever send anything personal through work Email.

Data Leak Protection

DLP is a fairly new technique utilising both Firewalls and EUA to track and prevent sensitive information from leaving the company by using Data Mining and similar techniques. DLP will look for things like keywords, attachment sizes are other aspects to intercept and quarantine any suspect material before it leaves the company. DLP is extended through the use of EUA and Direct Access to ensure that it works at the workstation level as well as through the network and the servers.

Direct Access

Direct Access was introduced by Microsoft with Windows 7 to provide greater security and manageability to workstations. DA leverages tradition SSL (encrypted Internet access) to ensure that company devices can be monitored and managed whenever and wherever they are online. Before DA, people had to rely on cumbersome IPSec clients to connect through to the workplace and only used them when they needed them. DA does the same thing but it is embedded into the Operating System and is “always on”. This means that companies can enforce policies and surveillance whether the device is on-network or remote. It can be a pain to set up initially but it is one of the greatest innovations to system management in years.

SSL Offload and Rewrite

This is one of the latest techniques used and possibly one of the most insidious. People think that when they go to encrypted websites (https://whatever.com) are secure and private. Whilst this is essentially true, it may not be true when you are on a work PC. SSL offloading is not new, it’s been used for years to scan incoming traffic for threats. Modern Firewalls (or IPS units, load-balancers, proxies or similar) are able to strip off encryption and scan for threats before data hits their servers. Recently, security experts realised that the reverse could be used to survey encrypted user traffic. This requires the insertion of a certificate into the “Trusted Root Store” of the users’ PCs but its existence allows the company to seamlessly and tracelessly survey any encrypted traffic that goes through that PC. This includes Internet Banking so if you have used online banking at work, you might want to change your passwords since your employer may know it was well (not to mention your balances and transactions). There are some questions about the ethics of using these techniques but the truth is that people that really want to do the wrong thing know enough to use encryption when they are stealing data.

Data Mining

Data Mining is actually the review process of all the data collected by other methods to determine malfeasance. Tools like Arcsight or Splunk can be used to collect data from hundreds of sources and collate them into usable information. The problem with surveillance is that there is too much information and important incidents can slip through the cracks. Data Mining uses forensic tools to determine when and how an incident has occured.

You’ve probably seen a theme here. The tools and techniques employed for surveillance all build on each other to ensure complete coverage and protection for organisations. In a properly secured organisation, virtually nothing can be done without the company either preventing it, knowing it or finding out about it. Your work infrastructure is there for work; smartphones and highspeed mobile links are cheap and easy to get. If you are going to something personal (whether it is as innocuous as Facebook or as private as Online banking), do it on your own equipment with your own data link. Use your work PC for work and your personal device for personal stuff.

Do your own research and understand your exposure and liabilities before you use your work equipment for personal items