IT Exposed!

Since many people who read this blog, blog themselves (or try to figure out how to read questionable blogs at work), I thought I would share some IT insight around Internet monitoring, etc.

Now, keep in mind that all companies work differently – so I’m speaking strictly as an IT person in high tech. Governments are much stricter and active in monitoring, etc.

First off, many companies passively monitors internet traffic. This means they don’t constantly watch the traffic. An event such as an internet slow down or a possible HR problem will trigger an audit of the info.

In the past, we did do some of our own internet traffic analysis. We kept is simple. We ran a query of which URLs are being most frequently accessed through our network. Usually in the top 10 were news sites, financial sites with stock ticker info, our own website, and some sports site like ESPN.

Quick deviation for a second – companies protect itself from data theft using firewalls. No matter how much you clean up after yourself locally, the firewall has a record of all traffic – think of it as a gigantic history file. Just something to keep in mind if you think you are being clever by cleaning history and temp files.

If we did find something in the top 10 that is suspect, we will check it out. For example, a long time ago, some engineers would access on a frequent basis. If we found this in the top 10, we would figure out where the traffic was coming from within the company. Or, in simpler terms, are we dealing with a group issue or a single person. If it was a group issue, we would have HR send out the reminder about the inappropriate use of the internet policy with a highlight of the second saying you can be terminated for it. If it is an individual, our jobs get fun. We get to learn too much info about someone and their browsing habits by doing a full search for every place that person has been over the past week. If we are lucky, we will find it was a one time thing – and if we aren’t, we get to find out things we would rather not know (preference in women – or men, when they are doing their browsing, etc). If we aren’t luck, we have to put together a case for HR. (We believe that HR should be given all the info right out of the gate so they can make an informed decision about next steps.)

Everyone in the company (or every computer rather) has two unique identifiers – MAC address on the network card and an IP address. The firewall tells us the IP address of the computer that browsed those sites. Our next goal is to find the computer that is browsing those sites. Many times, we have a very good idea based on the computer name. In some cases, we have to find the computer. Once found, we have to validate that the MAC address on the network card matches the IP address. (The short answer as to why is that IP addresses on our network can get reassigned to different systems. We have a log that tells us when that happens, so we just want to make sure we are accusing the right person.)

While we are at the computer, we will validate that it isn’t a shared computer. If it is, it can be more difficult to pinpoint who did the browsing. We will do a quick look at temp files and web history, but the ones knowing they are doing something wrong have usually deleted them.

Once we have it all – we give it to HR. We have only had two people fired over browsing in the almost 14 years I have been at this company. We have kept an eye on many people to ensure it is a one time thing, but mainly we have not had a problem.

The most memorable person fired over browsing was a contractor. Each day for two and a half hours, he would browse the women of the world as we would describe it. His browsing history started with Asian women and usually ended with German women with stops in Latin America and Africa. A weeks worth of browsing history when printed out was over 50 pages long. We found this out after hours thankfully. None of us could stop laughing at the sheer amount of it. Because he worked in a hidden engineering lab, it took us a couple hours to find the computer and subsequently who was doing it. When we did, I was thankful I was wearing a long sleeved sweatshirt because I didn’t actually have to touch the mouse then. I thought our reaction was bad until I saw HR’s reaction. It was similar to ours. The guy was fired on the spot. And his keyboard and mouse were thrown away.

What about blogs? Blogs are tricky because what you call them doesn’t necessarily correlate with what the content is about. And, unless it shows up extensively on the audit, no one will go out looking at what the content is. If you are posting to your blog during work, you will show up as accessing “”. They could find out what is being sent, but again, they would have to be actively watching it and have alerts that certain words came up in the packets of data. If you work for the government – they are monitoring…..everything. Just go with that assumption. Want to blog during the day? Email in your blogs. It’s safer.

Instant Messaging is a whole different can of worms. There are many things to keep in mind about IM or chat. Nothing is encrypted in chat. It’s all clear text – and it is likely stored on a server…as clear text. There have been court cases where AOL IM has been subpoena’d for cases – and it has been presented by AOL despite their claims they keep nothing on their servers. Very scary stuff.

If your network is actively monitored at work, IM traffic is very easy to see. This was a surprise for us, to be quite frank. I should caveat this by saying it has been several years since we had to try – so maybe the traffic vulnerabilities have changed to fix this issue. I personally like working under the assumption it is still clear text – “better safe than sorry” is my motto.

We discovered this when HR approached us to help them research an accusation. A group of employees had accused their manager of having an affair with one of his other direct reports and was giving her preferential treatment as a result. They claimed they were always chatting through AOL Instant Messenger. We were asked if we could provide data around this claim. We could as we soon discovered. From what I heard, the messages were pretty bad too. He was fired….and I believe lost his wife over the affair too.

While most companies in our area don’t actively monitor traffic, the economic downturn could cause them to start in the short term. IT is expensive, so in tough economic times, IT staff often has the pressure of reducing expenses. And, the other executives will bring everything into question. Reducing capacity to the Internet is a good place to start. At our company each month, we spend around $25,000 per month on capacity to the Internet. They won’t go down that path unless they can prove the traffic is non-critical to business. And, the best way to do that is by auditing it. Something to keep in mind.

2 Comments Add yours

  1. Thank you for the IT perspective on this. As an HR person I really appreciate the persepective.

  2. Hubman says:

    As if I wasn’t already having enough trouble sleeping…

    Thanks for the info!

What do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.