Reporting Unacceptable Use

stephendemsky · 2018-04-23T11:41:50.000Z

Hello,

Looking for opinions on reporting unacceptable use, specifically, users accessing pornographic sites on a company network. My network firewall filters most adult content, but these tools aren’t flawless as one determined late-nighter taught me this past week.

Now, I’m no crusader, but I look at accessing offensive content at work as inviting trouble. Malware, someone else seeing it and raising a stink, etc. I know the “by the book” approach would be to go straight to their manager and/or HR to hash it out, but seeing as I’m the only tech person, it would be pretty obvious to the offending user who reported their activity.

Tell me your thoughts, SpiceHeads. Go the “by the book” route and risk a hostile work-place situation with the user, or do you pull the user aside and give a short warning along the lines of “you can’t be doing that here on our network, here’s why”? Blame the MSP?

l0st0ne · 2018-04-23T11:48:07.000Z

First you need to get management and HR to sign off on an acceptable use policy.

stephendemsky · 2018-04-23T11:49:50.000Z

L0ST_0NE:

First you need to get management and HR to sign off on an acceptable use policy.

Ha, funny you say that. I wrote one in January, gave it to HR (who signed off), before it went to our President’s desk to rot away.

l0st0ne · 2018-04-23T11:52:28.000Z

SD_ASAI37:

L0ST_0NE:

First you need to get management and HR to sign off on an acceptable use policy.

Ha, funny you say that. I wrote one in January, gave it to HR (who signed off), before it went to our President’s desk to rot away.

Then it’s really hard to even say it’s “unacceptable use” when there is no policy in place stating what is and isn’t acceptable.

You might want to put a bug in HR and the President’s ear to see if can get moved forward instead of rotting away.

phillemay0878 · 2018-04-23T11:57:36.000Z

send the offending URL to HR and ask if it’s an acceptable site for company’s practices.

mweed · 2018-04-23T12:00:18.000Z

Remotely log into their computer, delete any browser logs or cache, and do something to make them think they got malware. Then, when they call you to “fix” their computer and you’re sitting at their desk messing with their computer, you say something like “Hmm. this looks like the kind of malware people get when surfing inappropriate sites. I don’t know how in the world you might have gotten it . . .” And hope that scares them enough to stop doing it.

That at least gives them a second chance, and if they do suspect you know what really happened, you come off looking like the good guy. But, if they do it again (or if someone else finds out), you’ve always got the built-in excuse you can report to management “Yeah, when I was working on his machine a while back it looked like they had been surfing somewhere inappropriate.”

georgemcfarlin · 2018-04-23T12:06:30.000Z

Off to HR with all the pertinent data retrieved. Where I work users have been fired for first offense of that type, led by HR and their supervisor.

I would not put myself or the network security at risk for a user looking at porn at work. Look at whatever you want at your house on your hardware. We have acceptable use policies etc in place and that type of use is expressly against company policy.

daciannistor2 · 2018-04-23T12:14:21.000Z

Phil Lemay:

send the offending URL to HR and ask if it’s an acceptable site for company’s practices.

craigweston · 2018-04-23T12:18:36.000Z

If there are no policies in place then I’m not sure what you can do about it unless it is illegal pornograhy. You may even be violating their privacy by monitoring them, meaning that you could be in trouble!
I know that most people know what is appropriate at work but some people need a policy to remind them.
If I were the only tech in a company I would work with HR to sign off a policy that gets included in the company policy.
It could also be worth seeing how someone bypassed your network filtering and get it locked down.

tomsteinmetz6433 · 2018-04-23T12:27:55.000Z

While it should be common sense to not do that kind of stuff at work, there should still be an acceptable use policy in place that dictates what users can and can’t do while using company resources and what the consequences are for not following the policy. All users should have to sign something stating that they have read and understand the policy. In your situation, I would report it to both their manager and HR. While you might want to avoid a hostile work environment, you wouldn’t want to risk your network.

shonolson · 2018-04-23T12:30:59.000Z

I’m in the process of cracking down on a similar situation here.

I ended up using BrowsingHistoryView, getting a list of the url’s and users that are hitting them and an email was sent to their supervisors and HR CC’d.

Then I edit the hosts file and point those sites to a local HTML page that has an iframe in it and directs the user to http://omfgdogs.com/ . Completely SFW and somewhat satisfying thinking about all the users that are completely baffled by the page.

YMMV.

theborgman77 · 2018-04-23T12:34:21.000Z

Here are couple problems. Make sure HR is involved in this process.

This can rarely be used as primary reason to fire someone. This is of course unless someone witnesses it.
It should only ever be used to fortify a case(not court) of why a bad employee should be fired.
To be safe you can add welcome screen that lines out that there is zero expectation of privacy when logging on to the computer. This really needs to be there if you are going to do what you have to do. You must get it approved by the correct person first.
Best way to get rid to the user is to make sure you have an expectable use policy, and login notice. Place a screen watching tool on the suspected user, and set your monitoring tool to give you instant notice. Then remote and record the session. Make sure you have number 3 done before doing so. If not you could be doing something illegal depending on State/Count.

Some states in US are single party states, and some states see the employee as an agent. In cases where your state see employees as an agent there is no need for permissions to monitor. You and the employee are seen as the same person in regards to the law. Again, the notice is more as a extra CYA in these states,

Couple other things that need to be considered.

Is this employee using his own equipment with a VPN? Even with properly configured VPN you can have some leakage onto your network. Correctly configured VPN will push almost all basic website surfing out there cable modem.
Is the homepage possibly the cause of this. I have seen an increased amount of reports of some bad sites hacking popular homepage sites ads. These push a bad website thru the ad system. This can cause all kinds of problems. I tend to force homepages to Google, or a business related website.

stephendemsky · 2018-04-23T12:34:28.000Z

Then I edit the hosts file and point those sites to a local HTML page that has an iframe in it and directs the user to http://omfgdogs.com/ . Completely SFW and somewhat satisfying thinking about all the users that are completely baffled by the page.

Hero.

Nick-C · 2018-04-23T12:35:49.000Z

Is reporting on things like this part of your daily job requirements? That is to say, has someone senior within the business asked you for this information? If yes then fine, generate the reports and send them over, if not then don’t worry about it and surely there are more important jobs to get on with than snooping through peoples web history?

kerriedouglas · 2018-04-23T12:42:39.000Z

Follow the policy that you wrote and make sure that you have the appropriate evidence to show the activity - report to HR. There should not be any HWE unless they are causing this by looking at this stuff - this person should be terminated right away. I ran into this about 20 years ago we had solid policies which stated that the person could be terminated if they engaged in any unacceptable use. It’s your role to escalate and report any findings about this type of activity. Unless you are this person’s supervisor a warning is not appropriate- you should not protect those who endanger your environment.

Nesav132 · 2018-04-23T12:43:25.000Z

IT should know what’s going on with a user’s behavior and it’s only fair to bring it up to the appropriate management. I would be pissed if IT knew about this and didn’t say anything. At this point, who cares if the user knows who ratted them out? It’s IT’s job to protect and make sure policies are being followed. Still sucks to be the one to have to do it.

shonolson · 2018-04-23T13:02:07.000Z

I’d have to agree, it is IT’s job to protect the company network and it’s assets both physical and digital; regardless if the threat origin is external or internal.

rename · 2018-04-23T13:02:08.000Z

We have all of the policies in place. End user signed them when hired.

In most cases, I’ll personally ask them to stop it. When that fails, and it does half the time, I send a screenshot out of Veriato to their supervisor with an explanation.

It hasn’t been pron here. It’s always been attempts to disable security to get to facebook or webmail sites. Those attempts usually end up screwing up their workstation in a way that raises suspicion to me.

That makes me sad panda and the company has a low tolerance level for that kind of stuff.

geekuilibrium · 2018-04-23T13:04:07.000Z

In absence of a policy, can you send out a friendly “online safety” announcement that outlines unsafe activities and also mentions that IT is working on a way to monitor network health more closely? If they know that policies are being put in place in the future, or at least being worked on, it may give them pause. I know this could turn passive aggressive if you’re not careful. I’m just saying fire one across the bow to get their attention. Wouldn’t hurt for all users to get a reminder either.

liquidram · 2018-04-23T13:07:39.000Z

Are you blocking site by site or white/black lists? If so, add URL categorization as this will catch more of this type of site.