Policies

Acceptable-use policies for employees are the starting point for managing insider risk. The company must define what constitutes the acceptable use of corporate computer resources, and employees must be made aware of these policies (and ideally should acknowledge that they have been made aware).

Policies provide a framework for investigations by defining what actions can be investigated. They can provide consent to search and monitoring (depending, of course, on other applicable laws).

Without policies in place, the organization might find it impossible to punish or terminate an employee. The employee can successfully argue that there was no explicit rule prohibiting a certain conduct, and absent that, the organization has no right to punish him or her for those actions.

Acceptable-Use Policies

Acceptable-use policies should cover obviously illegal activities such as the circulation of copyrighted or obscene material. By stating explicitly that the company will not tolerate the illegal use of its computers, it allows the company to distance itself from a single employee's misconduct .

The policy should also cover activities that might not be illegal per se but that might expose the company to liability. For example, the policy should cover threatening or harassing emails. There have been cases in which a company was held liable for sexual harassment when an employee either displayed sexual material in an office or cubicle (such as a calendar) or downloaded such material in a public area. Some courts have ruled that allowing such conduct was instrumental in creating a hostile environment and that the company was responsible for creating that environment because it did not immediately act to prevent such conduct when it was made aware of it.

On the other hand, the policy should not state that everything on an organization's computer is the property of the company. If an employee does have illegal or harassing materials on his or her computer, the organization does not want to acknowledge ownership of that material.

There is a question as to whether the policies should state that the equipment is to be used for official use only or that occasional personal use is permitted. If the company chooses to prohibit all personal use, it might find the following:

1. Employees will ignore the prohibition .

2. The policy might be held to be worthless if the company is aware that employees are ignoring it.

It might be useful in this context to view computer equipment as similar to telephones. Most companies allow occasional use of company telephones for personal business (for example, to call a daycare center or to make dinner reservations ). When told that the phones are primarily to be used for business purposes and that any personal use cannot interfere with business, employees are more willing to accept such a policy.

Some corporations have adopted severe measures regarding personal use of computers, especially the use of web browsers. There are a number of reasons why a company might want to restrict web access:

1. The company does not want its name linked to certain web sites. When an employee visits an inappropriate site, the IP address might be recorded, and the company might not feel it is in its best interest from a public relations point of view to have its name linked to that site.

2. A site might be labeled as inappropriate for some reason. The company might feel that there is no legitimate business reason for an employee to visit that site during business hours.

3. The company might be concerned about productivity and lost time and might not want employees engaging in certain activities (including gambling, online trading, or buying personal articles) during business hours.

A policy should address these items. Some companies employ filtering software to help monitor and block certain sites; others leave it up to local managers. As previously stated, absent these policies, the incident response team might be severely hamstrung when it is called on to conduct an investigation into these actions.

Email Usage

Another part of the acceptable-use policy is the use of corporate email. Again, like a telephone, a company can choose to restrict email to business use only or can allow occasional personal use.

The policy should, however, address activities that are strictly prohibited , such as the sending of threatening or harassing emails. Circulation of chain letters and jokes might be prohibited if an organization feels they waste either time or bandwidth. If the organization is concerned about potential liability, the incident response process should be prepared to conduct an investigation and should know how and where to look to collect evidence and information.

Encryption

Every organization should also have an explicit policy dealing with the use of encryption. If the company provides encryption products for business use (probably a good idea, especially for people traveling with laptops), the policy should state that the keys are the property of the company and that the individual can be forced to provide them if necessary. The policy should also express the company's right to search encrypted files and volumes at any time.

Any other encryption, provided by the employee, should be prohibited. The encryption policy should prohibit the use of unauthorized encryption and should state that the employee can be forced to provide the keys. Failure to provide encryption keys or the use of unauthorized encryption products could result in termination. This topic is discussed in more detail in Chapter 9,"Forensics II."Without an explicit policy addressing the use of encryption, the team might find it impossible to collect evidence or to compel the employee to provide the keys.

Searches and Monitoring

Under U.S. law, a number of conditions can legitimize a search. For example, law enforcement can obtain a search warrant . Certain officials are permitted to search in limited circumstances to remove a threat to the public (for example, firefighters can break down a door if there is smoke coming from a room to which the door provides access). Regardless, individual can always give their consent to a search.

As part of a company's policy, the employees should be told that the organization for which they work has the authority to conduct searches (overt or covert) of their computer equipment at any time. The employees must consent to this search as a condition of employment. By obtaining consent to search at the time of employment, the individuals are aware that they can be searched and thus will have no expectation of privacy.

In a similar fashion, employees should be told that the organization for which they work has the right to monitor any and all computer activity and communications. As with searches, there are a limited set of circumstances in which communications can be monitored . Service providers are allowed to monitor communications for the purpose of maintaining and improving service. It is unlikely that monitoring web content fits under this distinction. However, by obtaining advance consent, the issue becomes moot.

The policy should state that the company might monitor any and all communications but is not obligated to do so. This will protect (or at least help protect) the company if unauthorized activities occur on the network and the company fails to detect them.The condition in which the company is aware of the activities and fails to address them is discussed in the liability section later in this chapter.

Unauthorized Activities

Finally, the acceptable-use policy should cover network and computer activities that are unauthorized. These might include actions that might introduce vulnerabilities into the infrastructure. For example, sharing of passwords or logins should be prohibited. This section should also address password choices. Not only will this help users in choosing and using strong passwords, it also will help in investigations. If a particular activity can be tied back to a login, for example, it is far more difficult for the user to deny the activity if the alternative is to admit to giving out his or her password.

The policy should also address the use and installation of unapproved applications and software.There are two major issues at hand. First, unapproved software can introduce technical vulnerabilities into the system. It could be infected by a trojan or could modify the network in some way (say, for example, by opening a particular port) that increases the vulnerability of the local computer or network to internal or external attack. Second, this software might be unlicensed. If there are licensing issues and the company fails to address them, it could be held liable for the unauthorized use.

The policy should also prohibit activities such as attempting to access other computers (both within the network and outside), port scanning, network mapping, and so forth. In conjunction with good intrusion-detection software around critical servers, this policy can help mitigate insider risk. If it has been explicitly banned, then any detection of scans or multiple login attempts on the network can trigger an immediate alarm and investigation. In addition, the company has enormous liability if its systems are used to illegally access outside networks. The use (and possibly possession) of hacker tools by anyone in the company (except people in the security organization) should be proscribed and should be grounds for disciplinary action.

Login Banners

Login banners should be a major ingredient in any company's use policies. These banners can remind users that the system is to be used for business purposes only and that accessing the system constitutes consent to monitoring.

There is some doubt as to the actual effectiveness of login banners as an awareness measure. Because users see them every day, they might come to ignore them. If the banners are made more intrusive (for example, a pop-up box that requires the user to clear it before proceeding), it can become even more routine. Unauthorized access might bypass the login entirely. However, a login banner that explicitly states that the system is for official use only and that use of the system implies consent to monitoring greatly increases the organization's ability to assert that a given user exceeded his or her authorization by accessing the system.

There is at least one case in which a Welsh cracker claimed he was unaware that access to the system was prohibited because there was not explicit warning given on entry. The judge, in that case, ruled against the defendant, but this line of defense could be invoked by future attackers because there are no clear precedents . ^[5]

^[5] www.cnn.com/2001/TECH/internet/07/06/hacker.fbi/index.html

There is a story that frequently circulates in security forums and at conferences concerning the wording of login banners. In the early 1980s,VMS systems announced "Welcome to . . . ."The story goes that a cracker penetrated the system and protested that he was authorized because the login "welcomed" him. Supposedly, the charges were dismissed.Variations of this story abound, but details are scarce .The author has it on good authority that this is simply an urban legend.