MISSISSAUGA, On — If you want to stay out of the headlines, keep an eye on how your municipal workers are using — and abusing — their Internet access, says the head of IT security for the City of Ottawa.
Fraser Hirsch, who spoke at the Ontario Municipal Information Systems Association’s 2005 IT Security conference Monday, said municipal IT departments have to spy on users because municipal resources are so limited it’s important to squeeze every last productive minute possible out of city workers.
As well, taxpayers are seemingly more sensitive to the perception of wasted tax dollars at the municipal level than they are at other levels of government, he added.
“We need to get seven or seven and a half hours a day out of you,” he said. “It’s using our tools to make sure performance stays up.”
And make sure users know they’re being monitored, especially if they’re already red-flagged for prior activities, he said.
“You have to go back to the same person you were investigating and tell them you’re going to follow up and they will start to get the message real quick when they know you’re watching them,” he said. “Sounds a little Orwellian, but they are doing things that you don’t know, and if you haven’t taken a look, you should. Grab some of the reports off your Net filtering service and take a look at where people are going.”
In the City of Ottawa’s case, one such report revealed someone was using Skype, the Internet-based voice over IP service. Hirsch has also received calls from the Communications Security Establishment about Internet content with possible links to terrorism originating from a city IP address.
Those are the calls you can’t afford to ignore, he advised.
“You have to be able to provide them with that information because if you don’t, they’re going to come and seize the assets and yank computers off your desks and you’ll never get them back.”
Pornography is a major concern, as are blogs, he said.
“Do you really want employees going on blogs and perhaps voicing opinions about municipalities that aren’t in line with what you’re thinking?”
Spyware and malicious code are ongoing issues as well, he said, citing the example of one user whose Web activity generated more than 27,000 such hits in a three-week period.
To find out where employees are surfing when they’re supposed to be working, the City of Ottawa uses tools such as the Internet filtering product Websense from Websense Inc., Borderware’s e-mail security product MXtreme, and Microsoft’s Antigen.
Certain sites are blocked entirely, but the IT department has had to find ways to make some sites available to some users while off-bounds to others. For example, he said, a public health nurse might have a legitimate reason to visit a site on body piercings, but a bus driver probably doesn’t.
Even seemingly innocuous Web use, such as surfing retailers’ sites at 6 p.m. might seem acceptable, given that even a municipality has to allow for a certain amount of personal use, said Hirsch – except if it turns out that the surfer is really a nurse on the evening shift who is supposed to be working.
He admitted he doesn’t yet have buy-in from employees. But they are aware of the policies governing Internet use, he said. Hirsch is “in employees’ faces” at least twice a week with messages about inappropriate use of city resources. Policies also have to be specific, he said. If you allow “incidental” personal use, you have to specify what incidental means, such as during lunch hours and after or before work.
But while it’s important to monitor users’ Internet activities, Hirsch advises against monitoring keystrokes.
“You’ll end up in court so fast.”
Municipal IT professionals also need to be trained to interpret the reports they’re generating, he said. For example, one click on the cnn.com site generated dozens of other hits due to banner ads, pop-ups and spyware.
Sometimes investigations into an employee’s online activities can result in his or her dismissal. If that happens, the IT department also needs to know how to preserve data for potential use in a court of law or a tribunal of some sort.
“If we have to go to court we have to show due diligence in how we handled the evidence.”
That’s an issue for the RCMP’s high-tech crimes unit as well, said Staff Sgt Al Langille at another session.
Langille, who works out of the Atlantic Canada RCMP unit, said there are three steps in the process of providing evidence that can be used in court: acquisition, analysis and reporting.
The challenge for the RCMP is to ensure it does not alter the original data during the process, which can occur by merely looking through the contents of a hard rive or shutting the computer system down. To prevent that alteration, the RCMP uses write blockers and a handheld device called Logicube, which captures mirror images of hard drives. It also uses Encase, a forensic data and analysis program, and FTK (forensic tool kit), which indexes the entire contents of hard drives.
Much of what the RCMP is focusing on at the moment relates to child pornography. And while the RCMP acts on tips from the public, it is also up to IT professionals to alert the agency if they come across such images on users’ hard drives.
“I would argue there’s a greater responsibility for IT professionals because you are monitoring systems.”
In an interview with ITBusiness.ca following his presentation, Langille said he can’t say to what extent traffickers in child pornography or terrorists are using steganography, or the embedding of images within images that can only be seen with special programs.
“If it’s working really well, theoretically you shouldn’t find it’s happening,” he said. “To make a statement that it’s not a problem in Canada would probably not be well founded. In fact, I don’t think we know how often steganography is used. If we analyse a system and we detect a program is running, then we know we need to analyse the images.”