O'Reilly logo

Enemy at the Water Cooler by Brian T Contos

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

most common form of consent in this context is a clause in a contract or
corporate policy that states something to the effect that, “if you want to
work here we reserve the right to monitor anything you do. It is common
to see this clause in employment contracts. When employees are hired in
the U.S. for example, they typically sign a number of forms and contracts.
Many of these documents state that all communication using the organiza-
tion’s property—networks, computers, phones, and so forth, may be moni-
tored at any time. By signing these documents, an employee is consenting to
being monitored.
Computer Trespasser Exception
As part of the U.S. Patriot Act passed in 2001, the computer trespasser excep-
tion can be applied if an organization asks the government for help with an
intruder in their network.This exception allows law enforcement to intercept
communications to or from computer trespassers.
A computer trespasser, (any person who uses a computer or network
without authorization) has no reasonable expectation of privacy.There are
several conditions that law enforcement must meet to obtain these intercep-
tions.The organization that the trespasser has penetrated must authorize the
interception, all actions must be under the color of law, there must be rele-
vance to an ongoing investigation, and only communications sent or received
by the trespasser are subject to interception.
Court Order Exception
The last exception is a court order, but this is only available to law enforce-
ment. It has to do with a Title III order to intercept electronic communica-
tions when related to felonies.This group, along with the computer
trespasser exception, is not as common for most organizations as the first
two exceptions.
Best Practices
As long as an organization’s need meets any of the above exceptions, they are
free to monitor. However, to use this information, there are some additional
www.syngress.com
174 Chapter 13 • Establishing Chain-of-Custody Best Practices with ESM
424_Wtr_Clr_13.qxd 7/27/06 9:43 AM Page 174
variables that fall within best practices that are important to discuss. As a tech-
nology, ESM can be leveraged to follow chain-of-custody best practices. For
example:
Data must be gathered during the normal process of business, and
there should be documented policies and standard operating proce-
dures for handling the data. System administrators, network adminis-
trators, and security analysts doing their defined jobs fall into this
normal category.
Data must be gathered by individuals who are not of questionable
character. Employing individuals with criminal records to run an
ESM is not the best choice for an organization serious about litiga-
tion-quality data.
Documentation should include the circumstances under which the
evidence was gathered, the identity of evidence handlers, duration of
evidence custody, security conditions while handling or storing the
evidence, and how evidence is transferred to subsequent custodians
through each link in the chain.
Chain-of-custody must be followed.The captured data has to be
secured, and audit logs need to show who accessed the data, when
they accessed it, and what was done.
An ESM can help follow chain-of-custody best practices by providing
these capabilities:
It should allow for 100% event data capture, including the normal-
ized event, the original event (not normalized), and payload data if
available.
Access controls should limit the information users can access.This
should include separation of duties and least-privilege access.
Connections between the user interface to the ESM manager, event
flows from the connectors to the ESM manger, and manager-to-
manager communication should use strong encryption.
www.syngress.com
Establishing Chain-of-Custody Best Practices with ESM • Chapter 13 175
424_Wtr_Clr_13.qxd 7/27/06 9:43 AM Page 175

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required