What's the last piece of software you'd expect to spy on you? Maybe your enterprise security suite? Bad news Enterprise security, analytics, and hardware management tools - the very tools used to keep data safe - are collecting and sharing far more information than customers might think. So says the team from ExtraHop, an analytics firm that studied the networks of its customers and found that in many cases their security and …
Agreed. It should be defined.
And, in general, management / other employees shouldn't be able to read your email, although there may be extenuating circumstances, such as if you are long term sick or on extended leave and your emails/documents need to be checked to ensure the smooth running of the business. But, again, that needs to be defined in the IT guidelines, which you receive when starting at the company.
On the other hand, we often get paranoid users saying that they are sure management are reading their email. We then politely point out that management doesn't have enough time in the day to do that...
Or the BOFH anyswer, we could look at your emails, if we wanted to, but they are too boring for us to bother...
Every place I've worked makes it very clear. {insert mantra here.} But, then I work in places that have to comply with industry infosec standards--which make it very clear that there have to be clear policies--one that users must sign off on--annually--with annual training. In fact, I'm so used to this that t hadn't occurred to how many lame companies might well be out there.
In theory, I too work for a firm and in an industry that gets pretty close regulatory attention. We're pretty big (between 1000 - 10,000 users) and we STILL don't have an AUP or sane, properly communicated user-level security policies. No doubt there's enough small print in everyone's employment contract to cover the situation where, e.g., they decide they want to get shot of someone and go fishing through their mail for some kind of justification. (Of course, that would never happen in real life. Oh no.)
Our policy makes it clear that anything we do on IT equipment and services provided by the company is not private. We are allowed reasonable personal use, but it's monitored and certain events (such as file uploads to non-company web server - we trust but verify) generate an alert that is then investigated.
I don't mind because I get the alerts and do the investigating, but I've had to remind a few people that there is monitoring and, while their personal use is perfectly acceptable and I'm not going to gossip about their personal lives, they might not be comfortable with me knowing everthing I've seen.
For our smartphones, the policy is no third party apps, no private data on company phones and no company data on private phones.
For email, we are warned that we can use the company account for private emails, but we have to remember that in an emergency a supervisor can be given temporary access to the account to retrieve business critical emails.
That said, the company also tends to set up departmental accounts for important functions, such as purchasing, sales etc.
Ours is similar.
We have a mandate to archive, in a manner that is immediately accessible, all email for all time. Right now we have ~28 years worth. We are warned that all email is discoverable (legally) and that you should not use work email for personal reasons (common sense there). Supervisors are routinely given access to worker email for one reason or another.
Not in the EU then I assume? As GDPR states you shouldn't keep info for longer than needed. So if you were in the EU and I'd emailed you 5 years ago, I could technically do a SAR request on all emails containing my name and then a Right To Be Forgotten request to ask you delete those.
If not in EU and not dealing with EU people then can ignore what I've just written.
It applies to the data you, I mean a Data Controller, was holding at the time GDPR came into force, if that's what you mean. So stuff you collected without a GDPR-compliant "lawful basis" is now in breach, yes. (I'm not a lawyer but that's my understanding.) Yes I realise this puts probably 9/10 orgs into breach immediately.
"As GDPR states you shouldn't keep info for longer than needed"
If the company has contracts with the government, especially military contracts, "needed" is forever. The same might apply to any high tech company that must track purchases and materials for the life of the products they sell. Think aerospace/aircraft. That's also at least decades.
Best thing is to not use your company supplied tech for personal business. If your supervisor notices you're sending out resumés, you may need that new job sooner than you wished.
> I could technically do a SAR request on all emails containing my name and then a Right To Be Forgotten request to ask you delete those.
You could, but were your emails from a business address to me at a business address or personal/private address...
GDPR, like many things, seems simple but the devil is in the detail.
This
Don't access personal accounts at your job.
Should be ammended to
Don't access personal accounts at your job using company owned computer or network equipment.
By all means (during permitted breaks) use your own phone (and data allowance) to read your own emails. Don't use the company WiFi.
Then everything you do is separate from the company and is outside their permitted snooping.
Usually you sign an IT document stating that they can read all the email and web traffic you do at work.
However in this case they're also talking about stealing corporate information too - trade secrets, patient records (*cough* HIPAA *cough*), that sort of thing. About that corporations will care...
In the US, if you're using company equipment, then your employer can legally look at everything that you do on that equipment. This is also usually explicitly spelled out in your employment agreement.
This is why you should never use company equipment (including the company network and internet feed) for personal use or communications, ever. I use my smartphone (on my own data plan) when I have to do any personal stuff at work.
You're correct. A sufficiently bent admin would simply take a snapshot of a domain controller and a snapshot of the email server....and restore them both onto a new, isolated network. Then its simply a matter of resetting your password, logging in as you, and reading all of your personal email. Once the admin has what they were looking for its a trivial matter to delete these vms and you'll never know that your account was accessed because the system event logs never reached your company's log server.
On the other hand, this is the best method to use if you have a complicated update or change scenario to implement. You simply clone all of the necessary pieces onto a separate, isolated network and you can then run through the process, documenting every little thing. You won't have to translate computer names, ip addresses, service account names from your test environment when writing the change documentation because you're using copies of the actual systems.
This is why you should never use company equipment ... for personal use or communications, ever.
This is why I have my own personal toilet bowl next to my desk for personal use. Since I don't have personal flushing water, I tend to leave my turd there after used.
For some reason, all my colleagues looks funny when they come to my desk. Not to mention, management had decided to move my desk closer to the restroom...
/joke
This is why you should never use company equipment (including the company network and internet feed) for personal use or communications, ever.
Well, I'd say for personal use that you care whether it is intercepted by work.
For example, I read the register from my work desktop daily, or catch up on the news via typical news sites on slow days. I don't care if my employer sees that.
And sometimes if I read something interesting while at work, e.g. an article on VPNs, or a good place to buy Pi accessories, something I wouldn't want to be accessing on company resources, I'll use my work email to send to my personal email that link for further use when at home, since I can't access personal emails at all on work equipment (webmails are all blocked, can't connect to external mail providers, etc., this is why I find the Registers use of email as a means of reporting errors in stories unusable, as I can't access personal email at work, and I won't use work email for that, and I'm not so keen as to revisit it once I get home from work to then use the corrections email link).
I don't care if my work sees those.
But I don't use work to access porn, or politically sensitive sites (e.g. wikileaks), or streaming sites (netflix, youtube, etc.), or things I have to login to with accounts I care about like online banking, or social media, or gaming sites, (most of everything I've just mentioned, except banks, are all blocked at the proxy server anyway).
But for general news browsing/reading, including account logins to news sites if I decide to comment? Bleh, work can see that.
Most* company proxy intercepts for encrypted traffic will exclude sensitive sites such as banks and NHS websites etc.
Oh yes, my employer claims this as well - and you can check it by seeing the certificate chain for the website you are on, as if it is intercepted, there'll be the organisations proxy server certificate in the chain. However, this is a pain to do repeatedly, because even if when you first went to the banking site the certificate chain checked out, you'd have to check it every single time to make sure they haven't changed that rule, and that would become old real fast.
Also, it's not just the proxy that could get your details, since you are using a work laptop, there could be a corporate keylogger or other monitoring software (the biggest threat to corporations is inside exfiltration rather than an external hacker) running for security, so even though the comms might be secure, the desktop isn't.
So best not to risk it really. But if I desperately need to access something like my bank account from work, I can use my personal phone instead, or pull my personal tablet out of my bag and use that. Which hopefully is a rare event :)
"For example, I read the register from my work desktop daily, or catch up on the news via typical news sites on slow days. I don't care if my employer sees that."
Fair enough. But you're still taking a risk -- it's awfully hard to predict what an employer may get upset about!
Personally, the less my employer knows about me outside of my work-related activities, the better.
What rights does an employee have over the data slurped from their company laptop?
A company should publish the 'IT bill of rights' to warn the employees. Once that done, most of the time an employee has no rights. If this is a company laptop, then the company has any right over the data inside. There are few limitations if the data are explicitly marked as private/personnal in some countries but that's it.
Be smart, don't do personal business on a company laptop. Everyone has a smartphone now.
They spy because they need to explain, annotate your search queries and sell theses explanations to advertisers. AI explain search quires internally, you own these explanations, you decide what to do with them.Search engines, like Google and FB, can go to the hell! You don't need them anymore, this is AI.
On the other hand, this is far from universal practice.
I've been working on enterprise security software for various companies for a long time now, and none of the companies I've worked for engages in any form of telemetry or phoning home for any reason. The security risk is too great. Instead, the standard practice has been to keep reasonably detailed logs on the customer's machines, and supply a utility that the customer can run to collect the data from the logs to supply to us when needed.
That way, the customer can review the data being sent, and must proactively engage in sending the data to us. This is an extremely important security measure, and I personally wouldn't trust any security software that does otherwise.
Once upon a time, in a faraway land, our employer had a dodgy little box secreted away under a set of stairs.
It was connected to the PABX and recorded quite a lot of stuff.
Until one day the box blew up and it was brought out to the workshop for a technician to fix.
The technician did quite a lot of sniffing around and discovered the full extent of the bosses eavesdropping.
Pretty soon everyone in the building became aware of this and were very careful about dissing the boss over the phone.
Then we all lived happily ever after.
After all it's not there to "secure" anything, but give people the feeling they made a sensible contribution to security without having to understand the problem at all. People don't buy such products because they actually do anything, they buy such products because they come with advertising they can cover their asses with if something did happen.
Used to delete Avast's cookies so they couldn't spy, but of course they keep being re-applied. The information is already down wind even when deleting cookies. However even that is suspect now, because Avast's corporation bought out Piriform, the makers of CCleaner. Now I have to put up with popup advertising again, and probably now CCleaner spies on me.
Avast was supposedly good about ending that phone home feature as long as you bought the software - not sure about that, but it did end the pop up ads. I don't plan on buying CCleaner anytime soon, so you have to put up with that when using free software - I suppose it is only fair. Once Malwarebytes became an anti-virus, I had to ditch Avast - MBAM was the only AV/AM worth buying in my estimation, so now that is my only AV solution. The line between viruses and malware is so thin, it isn't worth the distinction anyway.
The line between viruses and malware is so thin, it isn't worth the distinction anyway.
Umm. I'm not sure how to break this to you, but in coloquial usage in the industry "virus" is a synonym for "malware". The former has a bunch of unfortunate associations that are a handy tool for figuring out whether the person you're talking to knows anything about security. If someone tells you "My machine has been infected by a virus", they're not a security person.
I'm a little confused as to how this could happen in an enterprise (the usual users of enterprise software), or even anything bigger than 20-employee business. Well, excluding cloudy SaaS services, as you get what you deserve there.
Surely there are no outbound ALLOW rules on your firewalls and proxy servers that would allow this to happen? I mean, the usual config is DENY ALL, then provide an enumerated whitelist (source address to destination address:port+protocol)of what is allowed out. Therefore for such software to talk home, the enterprise would have to explicitly configure their firewall to allow the explicit source devices to communicate to the explicit external addresses, therefore these products can only phone home with the explicit consent of the organisation (by configuring the firewall to allow the outbound communication).
Yes, you're right. But one rule you will almost always find is
Any user device to destinationTCP ports 80,443 on any destination IP address.
Often this can, and does, go through a proxy, but that's not always the case. And even if it is, the proxy is normally looking for malicious stuff coming back, rather than strange traffic going out.
Errm, no, any any enterprise I've worked in I've never seen that.
No user device is allowed access out through the firewall. Every user advice has to authenticate to the proxy server before being allowed to use the proxy server.
Although, thinking about this, if you use some sort of SSO/Kerberos type system, especially through AD, then you end up with the 'computer' being authenticated for that user login, so any comms from that computer are authenticated against the proxy server. Therefore any software running on that computer can access the proxy. And those proxies are usually blacklist based (allow all destinations unless you are going to a naughty site). Whereas organisations not using SSO, where, for example, if you fire up your browser you have to enter your credentials into the browser session, therefore only that browser session is authenticated, as opposed to anything on the computer, would be more secure in this case. However, more of a pain in the arse to use as a user.
Still, even in that case, I'd expect the IT Security team to notice the pattern - all desktops keep accessing some specific targets, and add those targets to the blacklist and start a whack-a-mole process.
I think what they really want you to do is buy their "Real-Time Analytics for Performance Monitoring and Network Security, Backed by Machine Learning" platform...
There is an interesting Gartner report on Network Traffic Analysis, but Forbes/ExtraHop do a reasonable summary of the five takeaways.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
