Security Manager's Journal: Red alert for child pornography
A .mov file with a highly suggestive name is enough to kick off an investigation into what's on an employee's PC.
When you work in any kind of security field, you are always coming up against the uglier aspects of mankind. Let's face it: There wouldn't be any malware, unauthorized access or laptop theft if humans weren't imperfect beings. In my work, I have come to accept that this is the way things are, and I don't even mind dealing with those sorts of incidents. In fact, such incidents are why people like me are necessary.
Not that I have much fondness for people who disseminate malware, steal laptops or try to breach systems, but they aren't as repulsive as another class of criminal you find on the Web: child pornographers. And this week we had an incident that suggests that one of our employees might be one of the latter.
I say "might" because the evidence at this point is sketchy, and we have much more investigating to do. What we know at this time is that an employee in Europe had a .mov file on his G drive with a name that indicated the video potentially involved child pornography. This came to light when an administrator was training someone on how to manage our antivirus infrastructure. They were going over reports of machines with infected files when they spotted the suspect .mov file.
The admin told me about this at once, and I called a meeting with the heads of HR and Legal. We decided that our first course of action should be to contact local police in Europe. What we could tell them was that only one file had been detected, that we weren't able to validate that the file was child pornography, and that the employee was currently on vacation in Greece.
After a few days, the police let us know that they didn't want to take the case, on the grounds that a single suspect image didn't warrant an investigation. How many images would spur an investigation? we asked. Their answer was many more than one.
Nonetheless, the vice presidents of HR and Legal wanted to conduct an internal investigation, so they asked me to determine whether there were any other images on the drive.
The suspect was still on vacation and had his laptop with him, and I thought he might check in from time to time since he'd bothered to take the laptop along. We run Symantec Altiris for centralized configuration management and software distribution, and I asked the administrator to create a special job to inventory the PC the next time it accessed the network. After a few days, it did. The Altiris inventory scan showed that the suspect didn't have the external-media G drive plugged in, and there were no files of a suspicious nature on the hard drive itself.
A few days later, the suspect did connect an external drive, but the Altiris inventory of that still revealed nothing other than a bunch of standard image-file names.
In the meantime, HR was trying to figure out what they should do with this guy when he returned to the office. My advice was to relax and not jump to conclusions; there was just one file that seemed suspect, and there might be an innocent explanation for it.
But because we wanted to do a thorough investigation and not let a potential child pornographer get away, we told the employee's manager to confiscate the laptop (and attempt to obtain the external media device, which we can confiscate only if it is company property) as soon as the employee returned. To avoid making the employee suspicious, we advised the manager to say that the machine is infected with a bad virus.
I wish it were something so simple.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
Read more about Security in Computerworld's Security Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts