Logging and monitoring can be a form of bullying, and make for lousy infosec Many information security practices use surveillance of users' activities. Logging, monitoring, observability – call it what you will, we have built a digital panopticon for our colleagues at work, and it's time to rethink this approach. The flaws of surveillance-based infosec are already appreciated. The European Court of …
As someone who’s worked on dedicated insider threat teams for large organisations before, I’ve got mixed feelings on this article.
Justin really should have included some details around scope of user event logging and what he considers excessive rather than keeping it intentionally vague. Logging of user activity is a fundamental part of maintaining the security of your environment, and the devil is in the details when it comes to “too far” which the article sadly lacks. It’s a far cry from logging workstation activity, and DLP events, compared to always-on microphone and webcam tracking software. Employees deserve privacy and respect, which means conversations about the scope of corporate device monitoring are sorely needed which can break the issue down, not articles which broad-brush it as “monitoring can feel like bullying so let’s not do it”. That’s not how you deal with risk.
Normally love your work Justin, but this isn’t quite it.
Thanks for reading it!
Dr Michalak says, near the end of the article in the "do this instead" section: "Have you been transparent with people about what is being done and why it's required, and do the people you want to monitor consider it to be reasonable, or excessive?"
That's all I'm arguing for. Talk to people about what your plans are and explain it so they're part of the solution. Don't just sit in an ivory tower and impose your will on people. I don't say "never monitor anything". I say with great power comes great responsibility.
Appreciate the clarification :)
Before reading any further, I would like to state emphatically that I am (personally) whole-heartedly against UBM as a matter of principle (privacy, healthy workplace etc.). Professionally however...
For me, the main point of confusion was (to my eye) the conflation between L&M (typically system focussed, traditional infosec rather than the broad-church of "Cyber") and UBM (very much people focussed). It's an important distinction to make, particularly for folks that are not tech inclined or lack the industry experience necessary to understand the difference.
Even with that distinction in mind, not all UBM solutions are equally evil; some are quite benign. I have seen UBM solutions that monitor pretty much everything you do (time in certain apps, websites visited, give managers remote view access to your desktop etc.) (pretty nasty); I've also seen solutions whose sole purpose is to remind you to take a break when you've been at your desk for longer than 1hr. Hardly on the same level.
The context in which this applies matters too; would something like the nasty UBM solution above really be considered unreasonable or viewed as a form of bullying in the context of Highly Classified Gov networks? Or an R&D environment for a Defence Prime for example? At what point does the user's perspective matter more or less than the sensitivity of the system or information they work with?
It's also easy to focus on the negative aspects of these solutions (privacy invasion, lack of trust etc.); for Insider Threat, Hunt, even IR teams, these solutions can be invaluable. Most folks would rather catch the threat early and limit the damage, rather than be stuck investigating the fall-out.
To reiterate, personally I am on board with what you're saying in the article, but professionally I think there are valid use cases for these solutions, and sometimes (here come the down votes haha) that means giving your users feelings on the matter a lower weighting.
OP here, Thanks Justin - definitely agree with the transparency and candour with end users and that any sort of monitoring has actual outcomes which match up to information security (particularly if the monitoring is being sold to the organisation as a “cyber” tool). If there’s no trust in the process and the position of IT security teams, then the whole thing falls apart.
That's all I'm arguing for. Talk to people about what your plans are and explain it so they're part of the solution. Don't just sit in an ivory tower and impose your will on people. I don't say "never monitor anything". I say with great power comes great responsibility. ...... jpwarren
And, jpwarren, whenever there is no solution for you to have any meaningful part to play in their plans, what do expect will be the explosive outcome, for it will be at least revolutionary and diligently troublesome whenever anyone/anything thinks the following unilateral type actions will not deservedly result in fundamentally radical change? ........ The World Order Has Changed... Here's What It Means For Your Net Worth
Times and spaces have changed and nothing today in this era of 0days is ever going back to way things were being run yesterday ..... for the exclusive benefit of an unworthy choice few. To think otherwise is to be not thinking at all and to know practically nothing about virtually everything that is presently confronting you on multiple fronts. And that makes one a soft target and easy prey to that and those in the know.
I agree, it doesn't.
Do you think it should?
Caring doesn't necessarily have to mean bending over backwards to not offend every nitwit who's looking for a reason to be offended. But it should mean conducting yourself (or any enterprise you might control) in a manner that is considerate others' welfare. It takes a little forethought, but surprisingly little effort.
Hmm,
I think the issue is *excessive* monitoring and logging.
Having spent many decades in the public sector I can tell you that we have a 'duty of care' to all employees.
That includes making sure they are in a safe workspace.
Which is why we log web access and make sure everyone knows we do.
Yes - Im talking porn.
Every year a couple of public servants are sacked for acessing porn in the workspace.
If we didnt log/review that and action it *other* employees would (rightly) complain about their work environment.
Heck - a UK MP just resigned for porn in the workspace.
So logging to ensure approrpriate/ethical/legal use of work resources - yes.
Continuous spying on all activities - no.
I would also add that any user-speific investigation has to be signed off in writing at an extremely high level and is undertaken in confidence, to protect the IT folks from being pressured by random exec to 'take a look at X'.
One must always be super careful if tasking oneself, and especially so if being tasked on behalf and at the behest of relatively anonymous A.N.Others, whenever surveilling anything, in whatever form in any matter, unusually strange and gloriously entangled/odd and complex discovered/uncovered/thought/imagined to be communicating and freely sharing extremely sensitive, above top secret type information and advanced intelligence with multiple nodes and myriad intermingled internetworking chunnels in those work, rest and play spaces of the Live Operational Virtual Environment because ...
To be in any way effective in mentoring what you will be monitoring there, and which you will know/should know, for you have previously seen how very easily it has been simply done, is going to have a real physical effect and create an almighty presence on Earth, does require that you fully enter and immerse yourselves in those new worlds being monitored by that and those not in any position of surveillance command and remote virtual control of that which they will encounter and have to successfully counter in order to make any discernible impact.
.... Between Monitoring and Surveliiance.
I used to work for a Government Department, where unauthorised access to client records was punishable by dismissal, if you were lucky, and criminal prosecution if you were not. It was well known that the department was logging all access to client records, and this was enough for the majority of the 20,000+ staff to do the right thing. This is MONITORING.
SURVEILLANCE (and potentially BULLYING) is when the system reports how often your computer is idle, how often the screen is locked, how many phone calls you made or answered today, how many forms you processed, etc..... and when the results of the report are used to justify disciplinary action against the worker. The worker usually has no access to the report data, won't necessarily remember a day's work 1-2 weeks ago, and if he/she is called in to the manager's office, the onus is usually on the worker to explain the discrepancies, not the manager/organisation. It cannot be assumed that poor results on their own mean a poor worker, but all too often that's what management assumes.
I have been told although it is difficult to believe, and it would be nice if it can be categorically confirmed, that the bods in the Houses of Parliament have some sort of unholy agreement with that and those who really should know better, that has them specifically exempt from Security and Secret Intelligence Service surveillance/monitoring.
I cannot quickly think of anywhere anywhere else more likely to thoroughly abuse and misuse the opportunities that such an arrangement would present.
Of course, maybe Parliamentarians are falsely led to believe such an exemption is afforded to them and thus are they at the mercy of those services and masters which are presumed to protect them whenever they choose to falter and abuse the national trust.
However, if that be the case, I’m not at all impressed by what they be doing with anything they may know of others nesting in Parliament with secrets and indiscretions to hide.
In all honesty, IT is all in a Quandary and a bit of a Bugger's Muddle.
I have been told although it is difficult to believe, and it would be nice if it can be categorically confirmed, that the bods in the Houses of Parliament have some sort of unholy agreement with that and those who really should know better, that has them specifically exempt from Security and Secret Intelligence Service surveillance/monitoring.
Hmmmm? That statement, and I have assumed that there are a least a few El Reg commentators who would certainly know for sure, has remained too long here unanswered. It is a simple enough question though requiring a clear enough Yes or No or Sometimes Occasionally or Occasionally Often answer, so it does have one a’pondering and a’wondering.
Is it supposed to be sort of a Top Secret State Secret expected covered by the Non-Disclosure Agreement perpetuated by the likes of an Official Secrets Act?
I always have it in the back of my mind that managers are an "overhead" - an administration cost that is applied to anything produced. If all the workers went on holiday for a day: nothing is produced that day. If a manager goes on holiday for a day: all/most of the work gets done.
I have found that a good manager normally works in reverse of what is thought of as a manager: If I have a problem that's stopping me from progressing, it's their job to sort it out so I can do my job. That should be their aim: to make you as productive as possible.
Timesheets are my pain. Whenever I ask why, "for reporting" is always the response. So I estimate how long something takes then I record time against my estimate. If it takes longer than my estimate - am I late or was my estimate wrong?
If you are afraid of the work laptop you took home seeing and hearing all you do, could basic tidying-up be your friend? Once you have completed the work, close the laptop, and put it back in a well-padded carrying case. Preferably in a safe, out-of-the-way corner of your abode, to keep it from damage. Hard to spy when the inside of a bag is the view, and hard to hear anything short of explosions from a very well padded bag (add more, like your paper files near the mic, just to be extra "protective"}. Just protecting the employer's asset, sir.
Most folks I know have a piece of paper over their camera when not actively conferencing. I have never been asked to remove mine, but if that did happen, I would refuse.
Otherwise, I assume everything I type or view is being logged, and I'm fine with that. It is their laptop after all.
When WFH, I have a second system for personal use, and a dedicated room for work, so none of my personal conversations are audible to the work machine (whose microphone is muted when not in use).
When COVID was in full swing and we were firmly established working from home, I asked one of the top managers in our dept, he looks after around 200 staff. He said, "Any manager or company who thinks staff surveillance is the answer is terrified of their own worth. If you have to spy on your own staff then you're either a very lousy manager or working for a very lousy company full of lousy people. I don't see any to that here and I don't think it has any place in our company. We have to trust staff to work on their own, we're all adults and can be trusted and if it fails then we have HR and guidelines to help resolve it as it could some other unrelated issues going on. For example someone is in a domestic abuse situation and they can't work properly, then we need to help them on that, not spy and abuse them more. Short answer is no spy software on my watch."
I'm all in favour of logging / monitoring of what I do at work
e.g.
a) web sites I visit, including malware scans
b) Internal machines I attempt to access
c) Emails
d) Port opening / access
a - I'm only going to look at work related sites on my work machine, but logging useful as e.g. say I web search for information, and click through to a result that looks fine but turns out to be a malware site then automated scan has a chance of catching that (plus the logging will show an "innocent" visit to malware page)
b - If I have somehow got zero day malware on my machine it might do all sorts of things to infect the network, pull down extra malware, communicate etc (so linking to a and d also potentially). So logging this sort of thing useful for malware spotting
c - text content only to be human inspected if a valid reason as often contains confidential data, but definitely automated malware scans of email as a must have as even if you are super careful nothing to prevent A N Other sending you a nasty.
What is not appropriate is e.g.
logging of all keystrokes (amount of typing / wpm <> amount of work, lots of software dev / design work is "thinking time", many a bug hunt involves very little typing, e.g. lots of code inspection, the main typing is just opening a file, lots of page down as read it, open another file etc. )
my camera activated without me knowing it (privacy, not just me - in a WFH scenario may be another family member walking past or doing something they don't want seen by all and sundry e.g. breastfeeding )
recording when my PC is "sleeping" during working hours (a bit like the typing thing - thinking time does not mean typing or any interaction with PC, so a sleeping PC does not equate to no work - indeed to avoid pointless teams "pinging" locking the computer often the only way to get a bit of peace and quiet to contemplate a problem without interruption)
The European Court of Justice (ECJ) recently found that mass surveillance of the population was an unjustified intrusion into privacy, even when the goal is to combat serious crime. Why, then, do we consider it reasonable to implement invasive surveillance to address the flawed computer systems we choose to use?
We consider it reasonable to implement invasive surveillance *because* courts found that mass surveillance of the population was an unjustified intrusion into privacy.
If our government can't get away with doing it themselves, they can look the other way then purchase the forbidden fruit from private aggregators.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
