When you work in any kind of security field, you are always coming up against the uglier aspects of mankind. Let's face it: There wouldn't be any malware, unauthorized access or laptop theft if humans weren't imperfect beings. In my work, I have come to accept that this is the way things are, and I don't even mind dealing with those sorts of incidents. In fact, such incidents are why people like me are necessary.
Not that I have much fondness for people who disseminate malware, steal laptops or try to breach systems, but they aren't as repulsive as another class of criminal you find on the Web: child pornographers. And this week we had an incident that suggests that one of our employees might be one of the latter.
I say "might" because the evidence at this point is sketchy, and we have much more investigating to do. What we know at this time is that an employee in Europe had a .mov file on his G drive with a name that indicated the video potentially involved child pornography. This came to light when an administrator was training someone on how to manage our antivirus infrastructure. They were going over reports of machines with infected files when they spotted the suspect .mov file.
The admin told me about this at once, and I called a meeting with the heads of HR and Legal. We decided that our first course of action should be to contact local police in Europe. What we could tell them was that only one file had been detected, that we weren't able to validate that the file was child pornography, and that the employee was currently on vacation in Greece.
After a few days, the police let us know that they didn't want to take the case, on the grounds that a single suspect image didn't warrant an investigation. How many images would spur an investigation? we asked. Their answer was many more than one.
Internal Affairs
Nonetheless, the vice presidents of HR and Legal wanted to conduct an internal investigation, so they asked me to determine whether there were any other images on the drive.
The suspect was still on vacation and had his laptop with him, and I thought he might check in from time to time since he'd bothered to take the laptop along. We run Symantec Altiris for centralized configuration management and software distribution, and I asked the administrator to create a special job to inventory the PC the next time it accessed the network. After a few days, it did. The Altiris inventory scan showed that the suspect didn't have the external-media G drive plugged in, and there were no files of a suspicious nature on the hard drive itself.
A few days later, the suspect did connect an external drive, but the Altiris inventory of that still revealed nothing other than a bunch of standard image-file names.
In the meantime, HR was trying to figure out what they should do with this guy when he returned to the office. My advice was to relax and not jump to conclusions; there was just one file that seemed suspect, and there might be an innocent explanation for it.
But because we wanted to do a thorough investigation and not let a potential child pornographer get away, we told the employee's manager to confiscate the laptop (and attempt to obtain the external media device, which we can confiscate only if it is company property) as soon as the employee returned. To avoid making the employee suspicious, we advised the manager to say that the machine is infected with a bad virus.
I wish it were something so simple.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.
Join in the discussions about security!