Security Manager's Journal: Red alert for child pornography
A .mov file with a highly suggestive name is enough to kick off an investigation into what's on an employee's PC.
When you work in any kind of security field, you are always coming up against the uglier aspects of mankind. Let's face it: There wouldn't be any malware, unauthorized access or laptop theft if humans weren't imperfect beings. In my work, I have come to accept that this is the way things are, and I don't even mind dealing with those sorts of incidents. In fact, such incidents are why people like me are necessary.
Not that I have much fondness for people who disseminate malware, steal laptops or try to breach systems, but they aren't as repulsive as another class of criminal you find on the Web: child pornographers. And this week we had an incident that suggests that one of our employees might be one of the latter.
I say "might" because the evidence at this point is sketchy, and we have much more investigating to do. What we know at this time is that an employee in Europe had a .mov file on his G drive with a name that indicated the video potentially involved child pornography. This came to light when an administrator was training someone on how to manage our antivirus infrastructure. They were going over reports of machines with infected files when they spotted the suspect .mov file.
The admin told me about this at once, and I called a meeting with the heads of HR and Legal. We decided that our first course of action should be to contact local police in Europe. What we could tell them was that only one file had been detected, that we weren't able to validate that the file was child pornography, and that the employee was currently on vacation in Greece.
After a few days, the police let us know that they didn't want to take the case, on the grounds that a single suspect image didn't warrant an investigation. How many images would spur an investigation? we asked. Their answer was many more than one.
Nonetheless, the vice presidents of HR and Legal wanted to conduct an internal investigation, so they asked me to determine whether there were any other images on the drive.
The suspect was still on vacation and had his laptop with him, and I thought he might check in from time to time since he'd bothered to take the laptop along. We run Symantec Altiris for centralized configuration management and software distribution, and I asked the administrator to create a special job to inventory the PC the next time it accessed the network. After a few days, it did. The Altiris inventory scan showed that the suspect didn't have the external-media G drive plugged in, and there were no files of a suspicious nature on the hard drive itself.
A few days later, the suspect did connect an external drive, but the Altiris inventory of that still revealed nothing other than a bunch of standard image-file names.
In the meantime, HR was trying to figure out what they should do with this guy when he returned to the office. My advice was to relax and not jump to conclusions; there was just one file that seemed suspect, and there might be an innocent explanation for it.
But because we wanted to do a thorough investigation and not let a potential child pornographer get away, we told the employee's manager to confiscate the laptop (and attempt to obtain the external media device, which we can confiscate only if it is company property) as soon as the employee returned. To avoid making the employee suspicious, we advised the manager to say that the machine is infected with a bad virus.
I wish it were something so simple.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security!
More by Mathias Thurman
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
- Security Manager's Journal: When data classifications meet the real world
- Security Manager's Journal: Learning to let go and offshore
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts