Security Manager's Journal: Red alert for child pornography
A .mov file with a highly suggestive name is enough to kick off an investigation into what's on an employee's PC.
When you work in any kind of security field, you are always coming up against the uglier aspects of mankind. Let's face it: There wouldn't be any malware, unauthorized access or laptop theft if humans weren't imperfect beings. In my work, I have come to accept that this is the way things are, and I don't even mind dealing with those sorts of incidents. In fact, such incidents are why people like me are necessary.
Not that I have much fondness for people who disseminate malware, steal laptops or try to breach systems, but they aren't as repulsive as another class of criminal you find on the Web: child pornographers. And this week we had an incident that suggests that one of our employees might be one of the latter.
I say "might" because the evidence at this point is sketchy, and we have much more investigating to do. What we know at this time is that an employee in Europe had a .mov file on his G drive with a name that indicated the video potentially involved child pornography. This came to light when an administrator was training someone on how to manage our antivirus infrastructure. They were going over reports of machines with infected files when they spotted the suspect .mov file.
The admin told me about this at once, and I called a meeting with the heads of HR and Legal. We decided that our first course of action should be to contact local police in Europe. What we could tell them was that only one file had been detected, that we weren't able to validate that the file was child pornography, and that the employee was currently on vacation in Greece.
After a few days, the police let us know that they didn't want to take the case, on the grounds that a single suspect image didn't warrant an investigation. How many images would spur an investigation? we asked. Their answer was many more than one.
Nonetheless, the vice presidents of HR and Legal wanted to conduct an internal investigation, so they asked me to determine whether there were any other images on the drive.
The suspect was still on vacation and had his laptop with him, and I thought he might check in from time to time since he'd bothered to take the laptop along. We run Symantec Altiris for centralized configuration management and software distribution, and I asked the administrator to create a special job to inventory the PC the next time it accessed the network. After a few days, it did. The Altiris inventory scan showed that the suspect didn't have the external-media G drive plugged in, and there were no files of a suspicious nature on the hard drive itself.
A few days later, the suspect did connect an external drive, but the Altiris inventory of that still revealed nothing other than a bunch of standard image-file names.
In the meantime, HR was trying to figure out what they should do with this guy when he returned to the office. My advice was to relax and not jump to conclusions; there was just one file that seemed suspect, and there might be an innocent explanation for it.
But because we wanted to do a thorough investigation and not let a potential child pornographer get away, we told the employee's manager to confiscate the laptop (and attempt to obtain the external media device, which we can confiscate only if it is company property) as soon as the employee returned. To avoid making the employee suspicious, we advised the manager to say that the machine is infected with a bad virus.
I wish it were something so simple.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Taking steps to better lock down the network
- Security Manager's Journal: Dealing with the heartburn of Heartbleed
- Security Manager's Journal: A deal that's too good to be true
- Security Manager's Journal: Virtual machines, real mess
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
Read more about Security in Computerworld's Security Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Malware and Vulnerabilities White Papers | Webcasts