Jump to content

Archived

This topic is now archived and is closed to further replies.

Deadpete

User monitoring

Recommended Posts

Hi folks,

At our site, we have got a user with seriously risky behavior. The user has frequently been visiting web pages with infected contents, and the user has also been plugging in infected flash drives on a couple of occasions. Up till now, ESET has blocked dangerous content, but it's just a matter of time until something very unpleasant stuff gets through. Telling the person to stop doesn't seem to be very helpful.

Monitoring users is a quite sensitive area, but the company policy is, that there are no rights to privacy when using company equipment, or other company resources. Private use is strictly prohibited, and part of the employment conditions.

My question is, if there are some means to logging user behavior in the ESET packages? In our case, it's mostly logging of web browser traffic (visited URLs, not contents), and use of USB drives that could be valuable. At least to get a picture what is going on (illegal crypto currency mining or what). Key loggers, screen dumps and similar is going too far at this point.

Best regards,

Peter

Share this post


Link to post
Share on other sites

I assume that you're after an EDR solution. We've unveiled ESET Enterprise Inspector recently for monitoring networks for suspicious operations and responding to suspicious ones by killing processes and blocking particular files within the company.

Currently it's available only for bigger customers but later we plan to make it available (maybe in a lighter form) for SMB as well.

image.png

image.png

image.png

image.png

Share this post


Link to post
Share on other sites

Short of a technical solution, if I were in your position, I (and the employee's Manager/Supervisor) would be in touch ASAP with your HRG (Human Resource Generalist). Seems to me, as it is a condition of employment, some sort of "Progressive Discipline & Behavior Management/Modification" is in order as the behavior demonstrated is not acceptable and not meeting expectations. Of course, I trust the employee has been given appropriate coaching and the expected expectations well explained and stated very clearly to him/her.

And as always, document EVERYTHING. The rule of thumb is if it isn't documented, it did not happen.

Regards,

Tom

Share this post


Link to post
Share on other sites
38 minutes ago, Marcos said:

I assume that you're after an EDR solution. We've unveiled ESET Enterprise Inspector recently for monitoring networks for suspicious operations and responding to suspicious ones by killing processes and blocking particular files within the company.

Currently it's available only for bigger customers but later we plan to make it available (maybe in a lighter form) for SMB as well.

image.png

image.png

image.png

image.png

Hi Marcos,

Thanks for your input. In this case, it's not really what I'm after. It's not a large network, there are not a lot of users, and keeping an eye on network traffic does not need very advanced tools. At the moment, I am more in need of some tools to log what a particular user is up to.

Best regards,

Peter

Share this post


Link to post
Share on other sites
33 minutes ago, TomFace said:

Short of a technical solution, if I were in your position, I would be in touch ASAP with your HRG (Human Resource Generalist). Seems to me, as it is a condition of employment, some sort of "Progressive Discipline & Behavior Management/Modification" is in order as the behavior demonstrated is not acceptable and meeting expectations. Of course, I trust the employee has been given appropriate coaching and the expected expectations well explained and stated very clearly to him/her.

And as always, document EVERYTHING. The rule of thumb is if it isn't documented, it did not happen.

Regards,

Tom

Thanks for your input Tom. I am grateful about the reminder about documenting everything. I have informally told the person in question that I don't like the behavior, and that it poses a serious risk. The response seemed to be uninstalling some "incriminating" browser plugins (harmless by themselves), and access contents by other means. With this type of avoidance reaction, I'm afraid only solid proof (in the form of browser, and USB logs) can get the person to stop. If at all...

Best regards,

Peter

Share this post


Link to post
Share on other sites

As far as device removeable media access, that can and should be controlled by either:

1. Group Policy settings: http://woshub.com/how-to-disable-usb-drives-using-group-policy/

or alternatively;

2. Eset Device Management settings: https://help.eset.com/eea/7/en-US/idh_config_devmon.html

As far as restricting user web access capability that again can and should be restricted using Eset's Web Control feature: https://help.eset.com/ees/7/en-US/idh_config_web.html?idh_page_setting_parental.html

Share this post


Link to post
Share on other sites

Peter stay on top of it. State clear expectations "formally" (and again DOCUMENT it).

Do not dance around, if you do, nothing will change (and your position will then be on the line).

Build your case carefully, but make it expedient as it's not a matter of if something bad will happen, but how soon will something bad happen. It WILL happen.

It sounds like a small business, but if there is any Union organization there and you have a working relationship, after talking with HR (or the owner), you might consider involving them to gain some leverage and buy-in.

I've been there and done that dozens of times.

It's never easy, but sometimes you have no choice.

Good luck,

Tom

 

Share this post


Link to post
Share on other sites

There are some good free softwares out there for viewing browser history logs, and usb access logs.

I'd just make sure that keeping browser history is enforced via gpo (if you can). Then they can't delete out the logs after each use, keeping you blind to their activities. While you're at it with the GPO, lock down the browsers so they can't install extensions/addins.

You could also lock down (via ESET Device Control) exactly which (down to Serial number, but as broad as make, or model) usb keys' they're allowed to use. I'd also look to disable booting from USB via the bios, and lock the bios with a PW (if you can boot to usb you can run tails or some such with no IT visibility).

And like tom said... document, document, document... Talk to your boss, make sure you're in the clear for the 'watching'.

Is this user an Admin on the computer in question?

Share this post


Link to post
Share on other sites

Yeah as the above mentioned there are programs you can use for logging. Does your company have a USB policy as a lot ban USBs from home and taking work ones out to avoid loss/infection.

As mentioned speak to HR and warn the person that failing to comply could lead to dismissal. Remember no Antivirus solution is 100 percent and so users going to risky sites etc. could put your company in danger e.g. ransomware.

For the reason mentioned above I would also make sure you have a good routine backup system in place. Also make sure to inform staff about the dangerous of things such as social engineering, getting them to sign things to cover you 

Share this post


Link to post
Share on other sites

Hi folks,

This topic seems to have caught the interest of quite a few. I sincerely value the input from everybody. The problem has got many facets, both technical, and human.

There are not many users in this work group, and I know everybody personally. In a small group, you must have a high level of trust, that everybody behaves responsibly. Many years ago, I tried being restrictive, blocking USB ports, keeping track of flash drives, logging web access, logging mail communications, etc.

It was a small success with the office workers, where a certain amount of abuse was detected, and promptly acted upon. With the engineering staff however, it turned out to be quite counter productive. The users were unhappy, and I was bogged down with elementary tasks. It turned out to be efficient to give each user administrative privileges on their own local computer. Some of the software is updated fairly frequently, and being too restrictive would have quite an impact on productivity. Until recently, that was never a problem. Naturally, data is compartmentalized, where only bits and pieces are shared, and most data stays "private", according to the individual work position of each user.

But now, simply put, I have got to handle a user that has started to misbehave seriously. I need to collect information that maps and documents what is going on, either through ESET, or by some other software. The findings will eventually be reported to the management.

Implementing appropriate restrictions, either/or by GPOs, ESET, and other means, will emerge from the decisions that will be taken.

Best regards,

Peter

Share this post


Link to post
Share on other sites

Peter, with all due respect, if you have not informed Management already, you have made your 1st mistake. If something REALLY BAD happens, you'll be the 1st to be blamed. One, for not informing Management when you knew of a weakness/threat, two for not resolving the issue before all hell broke loose and three for not informing Management (again).

"I know everybody personally" ... does not matter as far as YOUR job security is concerned. Will they (your co-workers) replace your paycheck:D? Me thinks not.

Don't be a lone wolf in this situation, show Management you are informed and SHARING information with them. Otherwise I can guarantee it WILL bite you (hard) in the butt if and when something does happen. And if nothing does happen, Management will think you are a good employee because you kept them informed and are protecting their interest.

I only have 40+ years of experience, so take my advice with a grain of salt.

Regards,

Tom

Share this post


Link to post
Share on other sites
7 hours ago, TomFace said:

Peter, with all due respect, if you have not informed Management already, you have made your 1st mistake. If something REALLY BAD happens, you'll be the 1st to be blamed. One, for not informing Management when you knew of a weakness/threat, two for not resolving the issue before all hell broke loose and three for not informing Management (again).

"I know everybody personally" ... does not matter as far as YOUR job security is concerned. Will they (your co-workers) replace your paycheck:D? Me thinks not.

Don't be a lone wolf in this situation, show Management you are informed and SHARING information with them. Otherwise I can guarantee it WILL bite you (hard) in the butt if and when something does happen. And if nothing does happen, Management will think you are a good employee because you kept them informed and are protecting their interest.

I only have 40+ years of experience, so take my advice with a grain of salt.

Regards,

Tom

Hi Tom,

In this case I don't agree with you. Every organization is different. If you are in a large organization, there are (hopefully) a bunch of formal instructions and directives how to handle cases like this. There are formal rules how to open a surveillance case, and how to handle the whole process.

In my case, I'm appointed to take care of the day to day IT operations. Which includes "policing". If I would contact the management without, or with very scant evidence, I would probably be told to not bring slander. It could also end up that the person in question would be fired on the spot. Both outcomes very unfortunate. If I collect solid evidence of abuse, the reaction will be very swift. If the person in question steps in line, and starts to behave responsibly, the better. Then there's no case, and nothing has happened.

I also have got decades of experience in this business, but not from large organizations. Also, I guess the different view points we have are based on local habits and customs.

Best regards,

Peter

Share this post


Link to post
Share on other sites

I guess, in this case, we agree to disagree.

I wish you good luck.:)

Regards,

Tom

Share this post


Link to post
Share on other sites
7 hours ago, Deadpete said:

Hi Tom,

In this case I don't agree with you. Every organization is different. If you are in a large organization, there are (hopefully) a bunch of formal instructions and directives how to handle cases like this. There are formal rules how to open a surveillance case, and how to handle the whole process.

In my case, I'm appointed to take care of the day to day IT operations. Which includes "policing". If I would contact the management without, or with very scant evidence, I would probably be told to not bring slander. It could also end up that the person in question would be fired on the spot. Both outcomes very unfortunate. If I collect solid evidence of abuse, the reaction will be very swift. If the person in question steps in line, and starts to behave responsibly, the better. Then there's no case, and nothing has happened.

I also have got decades of experience in this business, but not from large organizations. Also, I guess the different view points we have are based on local habits and customs.

Best regards,

Peter

Unless you mentioned vaguely what you suspect and then tell them you are checking that way they are kept in the loop.

One problem with people having too much admin access is it can lead to privilege escalation. As itman has mentioned maybe try to limit what certain users can do

Share this post


Link to post
Share on other sites
5 hours ago, itman said:

If not already done so since you are allowing users to run as limited admins, I strongly recommend that their software installation privileges be restricted via Group Policy: https://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7 

Thanks for your input itman.

Been there, done that. As I stated previously, this bunch of people need an unrestrained environment to work efficiently. That does not imply total freedom, however. Access to shared resources is very restricted for this group. The problem here, is that one single user is violating company policy, by using company resources to access web sites (potential hazardous) that has got nothing to do with the work position. Also plugging in non approved USB drives with infected files is part of the problem. Restrict privileges to software installations probably will just irritate legitimate users, as this is not really a part of the problem.

I will at least implement restrictions on USB drives for now, as it is excellent as a carrier of malware.

Best regards,

Peter

6 hours ago, TomFace said:

I guess, in this case, we agree to disagree.

I wish you good luck.:)

Regards,

Tom

👍 Thanks Tom, will need it. It will explode on Friday...

Peter

 

Share this post


Link to post
Share on other sites
4 hours ago, peteyt said:

Unless you mentioned vaguely what you suspect and then tell them you are checking that way they are kept in the loop.

One problem with people having too much admin access is it can lead to privilege escalation. As itman has mentioned maybe try to limit what certain users can do

Thanks for your input peteyt. It's a balance what is practical, and what's desirable. I don't want to make my office to a second home, which it quickly would be, if I start to lock down user privileges to this particular group. Threat no. 1 for me is rogue USB drives. They can easily carry infection and expand it, circumvent access restrictions to shares, etc. It's also a snap stealing data with a USB drive. Threat no. 2 is web access to pages containing assorted threats. Stealing data just by uploading it to a web server is even more simple. And it bypasses all privileges.

As I mentioned previously, I will implement restrictions for USB drives ASAP.

Best regards,

Peter

Share this post


Link to post
Share on other sites

Hi folks,

I appreciate all the good advice put forward here. I just want to recapitulate what my issue was from the beginning.

I needed means to collect web access data for a particular user. Not keylogging, screen dumps, or that sort, as it's far too intrusive. Just record web access, mainly URLs. I could probably have set up a transparent proxy server, but that's using nukes for picking off a few pigeons. I have managed to collect sufficient evidence to present a good case, anyway.

Particularly thanks to Tom, for reminding me about documenting everything. The fewer holes in the tapestry, the better. It will be ugly. Thanks to other colleagues for pointing out the possibility to use different means to lock down USB drives. That will be implemented promptly. I will probably implement some more permanent web monitoring to detect abuse at an early stage, before it gets out of hand.

I wish everybody a nice spring

Peter

Share this post


Link to post
Share on other sites

While it is possible to create a Web Control rule to log every accessed url, it's not practical since the log would grow quickly to hundreds of MB or even GB which would likely also cause performance issues. You can give it a try but then I would also suggest decreasing the log retention period from 90 days to 7 days let's say.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...