The Macrosite for News, Analysis and Opinion about the Future of the Internet
Gideon J. Lenkey

Need to Investigate an Employee? Read This First

Written by Gideon J. Lenkey
5/14/2012 25 comments
no ratings
1 saves
DISCUSS     Email This

Your company’s employees use the Internet for all sorts of super-cool, productivity-enhancing things, like... well... doing their jobs, mostly. With a little bit of socializing and entertainment mixed in for good measure, of course.

But every so often one will wander over to the dark side of the Internet and do something that puts your company or other people at risk. Something like malicious hacking, stalking, viewing illegal pornography, manipulating stock prices, and threatening or extorting other people. Remove the shackles of polite society with a little bit of Internet anonymity and some people turn to the dark side faster than you can say “Emperor Palpatine.”

Now, sometimes you won’t have to do anything in these matters. Some very polite and well-dressed folks from the FBI will arrive at your office one day and demonstrate the finer points of data forensic techniques, such as computer disk image acquisition.

Your liability in these matters will vary greatly, depending on what your employee did. You’re not really responsible if your employee was threatening the President via Facebook on company time or belongs to a terrorist organization such as the DMV. But if your employee was stalking someone or stealing sensitive information from your customers or other employees, you may have a real mess on your hands. Consequences include, but are not limited to, brand damage through bad publicity, financial penalties levied by governing bodies, and third-party lawsuits from your employee’s victims.

Even if law enforcement shows up to inform you of your employee’s alleged evil ways, you’ll want to conduct an investigation of your own to better understand what happened. This will no doubt involve a forensic analysis of the subject’s computer hard drive.

For most companies, the need to conduct a forensic analysis of one of its own computer hard drives is a rare occurrence. Over time, however, it is a likely occurrence, more of a “when” it will happen as opposed to an “if” it will.

The responsibility for conducting the internal investigation will vary as much as the reasons why it must be done. But one thing is for certain: If you haven’t done it before, you’re likely to make a few common mistakes.

You’ll want to think the process through end to end, involving all the players. Consider multiple common scenarios, such as: law enforcement knocks on the door, IT reports an incident involving an employee that may have legal repercussions, a news van pulls up in the parking lot.

Any given case will involve a lot of different people in your company, such as HR, legal, PR, audit, compliance, executive, and of course, IT. You should know in advance which parts of an investigation will be handled internally, which will be outsourced and to whom, and about how much it will cost. Depending on the size of your company and the maturity of your internal security program, you might also consider conducting a practice exercise in which a hypothetical incident is handled end to end.

The problem with doing or even managing something complicated but infrequent, such as an internal investigation, is that each time you attempt it, it can be like starting over, like doing it for the first time again. By practicing it you’ll not only uncover potential “gotchas” but also make handling the actual incident a lot easier when it happens.

You should also review your company’s policies regarding acceptable computer use. I have recently observed a trend of employees utilizing anti-forensic tools such as “Evidence Eliminator” in an effort to frustrate any future analysis of the system. This, of course, is done in the name of privacy. However, it goes well beyond what is required for personal privacy by destroying data artifacts useful in retracing a user’s steps in an investigation. Use of such utilities or techniques should be prohibited by policy and should be, I think, cause for dismissal if used to wipe a company machine prior to or during an investigation.

There are plenty of ways to ensure personal privacy without wiping company property -- taking care of your personal business on your own time, for instance.

Employers should also not rely solely on the computer hard drive to reconstruct a user’s activity. Network-based detective controls such as proxies and centralized log servers should be used to help keep a record of users’ actions on the Internet while at work. As an employer, you could be held liable or suffer the consequences of what your employees do on the Internet while at work, so it’s a worthwhile effort to understand and manage it.

Related posts:

— Gideon J. Lenkey, co-founder of Ra Security Systems
DISCUSS     Email This
Current display:       newest comments first       display in chronological order
Page 1 of 3   Next >
smkinoshita
Thinkernetter
Thursday January 24, 2013 11:15:20 PM
no ratings

@StaceyE:  That's another can of worms, depending on HOW the monitoring is handled.  Sometimes once a company gets on a device, it can be difficult to set limits to where it can go.

StaceyE
IQ Crew
Thursday January 24, 2013 2:21:34 PM
no ratings

@smkinoshita.....I think if an employee brings their own device to access the company's network, it would be subject to the same rules/monitoring as it would be if they were using the company's PC. However, if someone is on their smartphone in the breakroom looking at something innapropriate (via their OWN data service) that should be a different story.

nimantha.de
IQ Crew
Tuesday May 29, 2012 10:33:39 AM
no ratings

Well IMO predicting the future is not that easy right now. You have to analyze carefully. On you point on taking preventive action is a good thing but unfortunately for that even you cant predict at once.

Ombra
Rank: Cave Painter
Wednesday May 23, 2012 7:00:39 PM
no ratings

I know one company which hired an SA who failed to indicate he was currently under prosecution and was eventually found guilty of a unlawful access to govt databases.  Even after, the company would not take action to remove the individual.  Individual was given probation by the court and the company viewed the individual as some form of IT security expert.  Access was through use of a subordinate's account.   In short, the company saw it as a benefit / leverage over the employee.

Even investigating an employee has limitations and liabilities which the company needs to consider.  Generally, they are not trained law enforcement in legal investigative techniques and have extremely limited investigative authority.  I believe personal accounts and credentials (whether that is FB, banking, or other social networks) is a personal privacy right.  There are free proxy servers which companies can use to block sites or protocols even in the smallest IT environments.  Asking their credentials, because the company did not prevent unauthorized access, is lame and as it is "personal" a violation of their legitimate expectation to privacy.

cjon316
IQ Crew
Tuesday May 15, 2012 4:31:23 PM
no ratings

If you are hiring a bunch of white collar hackers, don't be surprised when they hack you. 

If you hire a bunch of ladies from the red hat society, don't be surprised that they may attend meetings where red hats are worn.

cjon316
IQ Crew
Tuesday May 15, 2012 4:29:40 PM
no ratings

When you know  you're being watched by cameras, we all have a tendency to accept this as standard security policy.

What are the ramifications if the employees are doing something illegal with company computers?

 

Kim Davis
Thinkernetter
Tuesday May 15, 2012 2:40:29 PM
no ratings

I'm interested by this apparent consensus that password-protected personal data becomes company property if someone logs on using a workplace network.  I'm not sure what the courts have said about that; I'd be interested to hear from attorneys.

Does this include banking information, for example?  Personal email accounts?  Phone directories? What if someone uses their own device, but the company's wireless network? And how does it sit with the notion that employers should not be able to demand passwords - at least in that situation, you know you are handing over the keys.

Mary Jander
Thinkernetter
Tuesday May 15, 2012 1:54:12 PM
no ratings

Agreed that trying to predict whether an employee might turn into a crook is a guesstimate. A company may have a perfect record of employee good behavior; then someone could step out of nowhere to ruin it.

That said, if a company has had a record of criminal employees -- or even of employees who violate the rules repeatedly -- then something is wrong with the hiring process, and it may be possible to estimate the likelihood of insider malfeasance occurring again.

kq4ym
IQ Crew
Tuesday May 15, 2012 1:42:42 PM
no ratings

Determining blame during any such investigation will result if time consuming defense actions and expensive fees to lawyers, security analysts, experts and more.

The problem may be just how much "preventive" action should take place before any breach happens? What's the cost benefit ratio and what is the probable odds of such events happening to your company. It's all a crap shoot basically. Predicting the future and guessing how much should be spent on prevention is just a wild guesstimate.

mtechie
IQ Crew
Tuesday May 15, 2012 8:48:02 AM
no ratings
Oh, and don't put anything on the net you wouldn't want to see on the front page of the New York Times, and certainly not during business hours.  Big Brother may be busy, but you can bet Little Brother's looking over your shoulder.


Exactly! Monitoring software is very sophisticated these days and can extend to your social media profiles as well. Recording is often covert and can be triggered by certain actions or set to record everything.
Page 1 of 3   Next >
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
previous posts from Gideon J. Lenkey
Gideon J. Lenkey
If that title doesn’t get your attention, I doubt much else will. And yes, of course there’s no such thing.
Gideon J. Lenkey
Twenty years ago, departing employees may have packed up a stapler or a lifetime supply of paperclips on their way out. These days, they may take something more valuable and a lot easier to pocket: digital data. In most cases, it's likely to be the innocuous email inbox containing nothing more than cute kitten photos, bad jokes, and drink recipes (which is probably what got them fired in the first place). At the other end of the spectrum is the employee who makes off with your customer list, design documents, or source code and uses it to get a better position with one of your competitors.
Gideon J. Lenkey
While I didn’t attend Defcon this year, I was as pleased as I was surprised by the amount of attention and press coverage given there to social engineering.
Gideon J. Lenkey
3,722: That's the average volume of attacks on Boeing's network in a typical hour, according to this report. If this sounds like a lot to deal with, I can assure you that it is. But the hardest part is that the vast majority of the attacks are actually false alarms.
5
of
Mary E. Shacklett
Scrum Brings Social MediaThinking to Projects
7|30|12   |   2:12   |   8 comments

The very low-tech "scrum" project technique introduces "crowd talking" to projects and also sets the entire crowd to problem solving. So far, these new social-media-style meetings appear to have supercharged project execution.
Mitch Wagner
'Digital Nomads' Work From Anywhere & Everywhere
2|14|13   |   2:35   |   20 comments

New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
Mary Maida
How Medtronic Overcomes Social Business Resistance
1|31|13   |   1:23   |   No comments

Showing results is the best way to win over social business doubters, according to Mary Maida, Medtronic lead information solutions manager. Internet Evolution's Mitch Wagner interviewed Maida at the E2 Innovate conference.
Kelli Carlson-Jagersma
Wells Fargo Sales Get Social Business Boost
1|16|13   |   2:30   |   2 comments

Wells Fargo uses social software to replace email chains and help its sales team collaborate more effectively to land deals, according to Kelli Carlson-Jagersma, VP Collaboration Strategy for Wells Fargo. Mitch Wagner spoke with Carlson-Jagersma at the E2Innovate conference
Second Shooter
Cisco & Linksys: A Problem at the Edge
1|4|13   |   2:15   |   No comments

Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
Mitch Wagner
TweetDeck Gets a Second Life
11|5|12   |   9:54   |   13 comments

A recent release of the popular TweetDeck app for Twitter power-users gives new life to software that had previously taken a wrong turn. Here's a quick walk-through of the new TweetDeck, to show you why it should be at the top of your Twitter toolkit.
Wisdom of the Big Chair
Get on Facebook Right Now
11|1|12   |   2:42   |   No comments

A growing number of HR managers are suspicious of individuals who do not take part in social media and view them as anti-social in real life as well as online.
Mitch Wagner
A Humbling Lesson From Libya on Why IT Matters
9|17|12   |   3:09   |   5 comments

Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
Mary E. Shacklett
Enterprises Like SaaS for Social Networking
9|6|12   |   2:04   |   8 comments

Enterprises are discovering that using social networking within the secure setting of a SaaS provider's network gives them an unusual opportunity to freely collaborate with partners, suppliers, and even competitors.
Mary E. Shacklett
Where IT Draws the Line on Social Media
8|16|12   |   2:03   |   No comments

As social media make their way into company operations, IT'ers and engineers are using it to exchange ideas and collaborate on problem solving with others. But there is also a line to be drawn when it comes to proprietary information sharing.
IETV: the thinkerNet on film
5
of
John Kennedy
How Big-Data Is Changing Marketing
6|13|13   |   1:07   |   1 comment

Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
Kim Davis
Big-Data Can’t Always Sell Wine
5|21|13   |   2:23   |   10 comments

Whole Foods Global Wine Purchaser Doug Bell told me about some of the constraints on using analytics in the US wine market.
Paul J. Fleuranges
Digital Signage Keeps NYC Subway Straphangers on Track
5|6|13   |   3:51   |   1 comment

New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
Kim Davis
Fast Forward to the Future
4|23|13   |   2:29   |   20 comments

A look back at tech writing in the 90s makes us wonder where enterprise IT will be 20 years from now.
Mitch Wagner
Google Launches Its Most Depressing Service Yet
4|15|13   |   2:59   |   10 comments

Google's new Inactive Account Manager lets you control how Google disposes of your accounts when you die.
Second Shooter
Argument Over Top-Level Domains Is 'Stupid'
4|11|13   |   2:07   |   3 comments

The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
Kim Davis
Ladies, Your Tablet Awaits
3|21|13   |   2:22   |   37 comments

ePad Femme is the world’s first tablet “made exclusively for women.”
Wisdom of the Big Chair
NFC Moves Into the Mainstream
3|20|13   |   2:16   |   No comments

While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Wisdom of the Big Chair
Integrating Security Into Your Cloud Contract
3|19|13   |   3:35   |   No comments

Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Brian Baron
How Edmunds.com Collects Customer Information
3|18|13   |   1:15   |   No comments

Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
2pm EDT
Fri
Jun 21st
an IBM information resource
sponsored content
big blue blog
Todd Watson
Todd Watson   6/18/2013   Post a comment
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
an IBM information resource
sponsored content
Expert Integrated Systems: Changing the Experience & Economics of IT
In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator.
READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE!
REGISTER HERE
Wanted! Site Moderators
Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?

Please email: moderators@internetevolution.com
Internet Evolution – not for thickies
Taking a Dim View of Home Energy Management Tech
Mary E. Shacklett
Energy consumption is a primary contributor to global warming. At the end of 2012, 40 percent of energy consumption in the US came from commercial and residential buildings.
CLICK FOR MORE
Checklist for a Watertight Cloud Computing Contract
Charlotte Erdmann
Midsize businesses rarely achieve the same standards of security in their own datacenters as professional providers that specialize in delivering these services to organizations.
CLICK FOR MORE
NSA Leaks Shine Spotlight on Perils of Contractor Partnerships
Jason Mick
The US National Security Agency learned the hard way that it can be dangerous to give a contractor too much money and access, with too little scrutiny. The NSA and other government agencies hire tens of thousands of contractors a year to analyze data. Edward Snowden -- who revealed himself as the NSA leaker after fleeing the country -- was one such contractor, reportedly holding a $122,000 salaried position at Booz Allen Hamilton at the time of his departure.
CLICK FOR MORE
NSA Leaks Shine Spotlight on Perils of Contractor Partnerships
Jason Mick
The US National Security Agency learned the hard way that it can be dangerous to give a contractor too much money and access, with too little scrutiny. The NSA and other government agencies hire tens of thousands of contractors a year to analyze data. Edward Snowden -- who revealed himself as the NSA leaker after fleeing the country -- was one such contractor, reportedly holding a $122,000 salaried position at Booz Allen Hamilton at the time of his departure.
CLICK FOR MORE
NSA Leaks Shine Spotlight on Perils of Contractor Partnerships
Jason Mick
The US National Security Agency learned the hard way that it can be dangerous to give a contractor too much money and access, with too little scrutiny. The NSA and other government agencies hire tens of thousands of contractors a year to analyze data. Edward Snowden -- who revealed himself as the NSA leaker after fleeing the country -- was one such contractor, reportedly holding a $122,000 salaried position at Booz Allen Hamilton at the time of his departure.
CLICK FOR MORE
NSA Leaks Shine Spotlight on Perils of Contractor Partnerships
Jason Mick
The US National Security Agency learned the hard way that it can be dangerous to give a contractor too much money and access, with too little scrutiny. The NSA and other government agencies hire tens of thousands of contractors a year to analyze data. Edward Snowden -- who revealed himself as the NSA leaker after fleeing the country -- was one such contractor, reportedly holding a $122,000 salaried position at Booz Allen Hamilton at the time of his departure.
CLICK FOR MORE
Amazon Revolutionizes Book Publishing
Mansur Hasib
The publishing world has long been controlled by powerful companies with high costs, barriers to access, restrictions on distribution, one-sided copyright ownership contracts, and lengthy delays in getting critical information and knowledge out to a broad audience. In this world it often seemed all but the most famous of authors controlled little while publishers controlled everything. In the academic community, the sad result has been an excessive price increase in the cost of textbooks. Technology is finally empowering authors.
CLICK FOR MORE