Options for determining if company email accessed by IT employee.
February 18, 2016 5:08 PM Subscribe
There was an accusation made privately that a member of the IT group at the company regularly accesses and reads the emails of senior executives without authority. Is there any way to investigate and get evidence?
The report comes from a trusted employee but without evidence. This is a small company and it is quite likely that the accused IT employee would be the one asked to investigate, so this creates a bit of a conundrum. Are there consultants that provide these services?
This is an Exchange server and I do not know if the report is true, hence needing evidence. But the method of access is also not known. The simplest is that this person could have passwords, but I expect being in the position to access the server data they could just as easily intercept and read emails there? What are the ways in which one can access and read Exchange email and how can that be determined forensically? And could this person, being in that position, be able to cover their tracks? And if so, can THAT be determined?
As it stands the accusation is already a serious one and will need to be addressed. It would just be nice to be able to investigate this quietly first.
The report comes from a trusted employee but without evidence. This is a small company and it is quite likely that the accused IT employee would be the one asked to investigate, so this creates a bit of a conundrum. Are there consultants that provide these services?
This is an Exchange server and I do not know if the report is true, hence needing evidence. But the method of access is also not known. The simplest is that this person could have passwords, but I expect being in the position to access the server data they could just as easily intercept and read emails there? What are the ways in which one can access and read Exchange email and how can that be determined forensically? And could this person, being in that position, be able to cover their tracks? And if so, can THAT be determined?
As it stands the accusation is already a serious one and will need to be addressed. It would just be nice to be able to investigate this quietly first.
Exchange can be set up to allow an admin to access mailboxes other then their own. It is also possible to set up audit logs to indicate when this happens. In order to set up audit logging you will need to also have administrative access. A local tech company could likely help you with the setup and show you how to access logs if you are not comfortable with doing that kind of work yourself.
posted by nalyd at 5:55 PM on February 18, 2016 [1 favorite]
posted by nalyd at 5:55 PM on February 18, 2016 [1 favorite]
Unless you have all executives regularly encrypting their e-mail messages, it's safe to assume they will be read sometime. Not only by your IT people, but by anyone with server access at any point along the mail pathway. It's _impolite_ to read other people's e-mail on a server, and I personally avoid it unless I'm debugging someone's e-mail problems, but I've been called "too sincere" in the past.
In fact, knowing that e-mail is being read regularly may actually improve security, because it's very very easy for people to forget just how insecure e-mail is.
on preview: seconding tempestuoso
Also: the IT person may genuinely not see anything wrong with reading the e-mail on the server (except for the time wastage, of course). Most people would _feel_ that there was something wrong with it, out of respect for other peoples' privacy, but if there's no explicit policy forbidding it, it's not obviously illegal or anything.
posted by amtho at 5:56 PM on February 18, 2016 [1 favorite]
In fact, knowing that e-mail is being read regularly may actually improve security, because it's very very easy for people to forget just how insecure e-mail is.
on preview: seconding tempestuoso
Also: the IT person may genuinely not see anything wrong with reading the e-mail on the server (except for the time wastage, of course). Most people would _feel_ that there was something wrong with it, out of respect for other peoples' privacy, but if there's no explicit policy forbidding it, it's not obviously illegal or anything.
posted by amtho at 5:56 PM on February 18, 2016 [1 favorite]
It would hinge in a large part on what constitutes, "without authority." Typically a company has free reign over employee email, and IT who manages it do as well, by necessity.
posted by rhizome at 5:57 PM on February 18, 2016
posted by rhizome at 5:57 PM on February 18, 2016
But the method of access is also not known. The simplest is that this person could have passwords, but I expect being in the position to access the server data they could just as easily intercept and read emails there?
Unless you've got reversible-encryption enabled for password storage on the domain controller, it's unlikely that your mail admin has anyone's password. How this is typically done in an Exchange environment isn't by sniffing the wires or whatever, it's by granting access permissions for second account to read the first in the Exchange server's administrative console, and then that user just opens up the inbox in Outlook.
It may not be possible to retroactively audit this if the appropriate logging wasn't turned on, if the person doing cleaned up after themselves. You can find out how to do this by searching for "Monitor mailbox permissions changes in Exchange".
If, however, they left those access permissions on, it's a simple matter to dig into the current exchange permissions on executive accounts and find out who has access to what.
It would hinge in a large part on what constitutes, "without authority." Typically a company has free reign over employee email, and IT who manages it do as well, by necessity.
Managing people's Exchange service, which is totally routine, is very different from reading their email, which is a serious breach of trust, and Exchange is designed so that an administrator can do all the permissions and quota management they need to do without granting themselves the permission to actually read the email.
And anyone who's in charge of an Exchange cluster knows that. If you were to audit an exchange server and find out that an IT guy had granted themselves read permissions on an executive's account without an _outstanding_ justification, that IT guy should be escorted out of the building immediately.
posted by mhoye at 6:57 PM on February 18, 2016 [10 favorites]
Unless you've got reversible-encryption enabled for password storage on the domain controller, it's unlikely that your mail admin has anyone's password. How this is typically done in an Exchange environment isn't by sniffing the wires or whatever, it's by granting access permissions for second account to read the first in the Exchange server's administrative console, and then that user just opens up the inbox in Outlook.
It may not be possible to retroactively audit this if the appropriate logging wasn't turned on, if the person doing cleaned up after themselves. You can find out how to do this by searching for "Monitor mailbox permissions changes in Exchange".
If, however, they left those access permissions on, it's a simple matter to dig into the current exchange permissions on executive accounts and find out who has access to what.
It would hinge in a large part on what constitutes, "without authority." Typically a company has free reign over employee email, and IT who manages it do as well, by necessity.
Managing people's Exchange service, which is totally routine, is very different from reading their email, which is a serious breach of trust, and Exchange is designed so that an administrator can do all the permissions and quota management they need to do without granting themselves the permission to actually read the email.
And anyone who's in charge of an Exchange cluster knows that. If you were to audit an exchange server and find out that an IT guy had granted themselves read permissions on an executive's account without an _outstanding_ justification, that IT guy should be escorted out of the building immediately.
posted by mhoye at 6:57 PM on February 18, 2016 [10 favorites]
Best answer: tempestuoso has some good advice, but I wanted to jump in to say that some of these answers freak me out completely. I'm in a different function now, but when I was running IT, using our access to violate coworker privacy was the one offense which would get you escorted out of the building without any further discussion. It was and should be an absolute no-no. (I personally had to do this once, which made me very sad.)
Even if a manager wanted us to look into someone's email for cause, I would refuse to do it unless it was signed off by the CEO, group legal and the head of HR. My logic was that IT was always suspected of this kind of thing, and therefore had to act in a way which was completely above suspicion.
So if your company doesn't have policy around this, you should implement it even if you do nothing else. That way someone can have a serious discussion with IT employee y and tell them "this is designed to protect you. there have been some recent leaks, and we don't want the suspicion falling on IT. Therefore, please see a copy of this policy which stresses bla bla bla". Then put a set up in place (use an external consultant) to make sure server access and is logged and that access rights are documented and tracked. Again, this is legitimately for the protection of the coworker.
You don't say much about why this coworker thinks the IT coworker has been snooping, so I can't judge how seriously you take the accusation. But, yes, there are many security specialist companies who can help you investigate the breach. If you have no logging or security-related SOPs in place, it might be really hard to check. I might hire the security firm to do a general look-over your set up and let you know how easy it would be for breaches to happen (and whether or not they could check if it has). If you describe it as a general security audit, then you avoid the perception of mistrusting your coworker in the event he should be innocent. (And honestly, it sounds to me that your set up may be past due for a security audit anyhow...)
posted by frumiousb at 7:45 PM on February 18, 2016 [9 favorites]
Even if a manager wanted us to look into someone's email for cause, I would refuse to do it unless it was signed off by the CEO, group legal and the head of HR. My logic was that IT was always suspected of this kind of thing, and therefore had to act in a way which was completely above suspicion.
So if your company doesn't have policy around this, you should implement it even if you do nothing else. That way someone can have a serious discussion with IT employee y and tell them "this is designed to protect you. there have been some recent leaks, and we don't want the suspicion falling on IT. Therefore, please see a copy of this policy which stresses bla bla bla". Then put a set up in place (use an external consultant) to make sure server access and is logged and that access rights are documented and tracked. Again, this is legitimately for the protection of the coworker.
You don't say much about why this coworker thinks the IT coworker has been snooping, so I can't judge how seriously you take the accusation. But, yes, there are many security specialist companies who can help you investigate the breach. If you have no logging or security-related SOPs in place, it might be really hard to check. I might hire the security firm to do a general look-over your set up and let you know how easy it would be for breaches to happen (and whether or not they could check if it has). If you describe it as a general security audit, then you avoid the perception of mistrusting your coworker in the event he should be innocent. (And honestly, it sounds to me that your set up may be past due for a security audit anyhow...)
posted by frumiousb at 7:45 PM on February 18, 2016 [9 favorites]
In a previous life, I managed global email and other systems for a large company. Our policy was clearly stated in our employee handbook, which detailed that the IT department could monitor email and all other communication and that we could and would identify violations of company policy (like sending porn, stuff like that). At the time, we used a quarantine system that would segregate emails that violated our policies, and as administrators of the system, we could easily access anyone's mailbox if we needed to, including the C-suite.
Not being familiar with current Exchange settings, I couldn't tell you the routes of access, but I highly doubt it is from gaining access to passwords. Administrators of systems have broad access to the data contained therein, so that is probably how they are gaining access. The only way I can see to investigate this without involving the person accused is to hire an outside IT audit firm, unless you have other IT people with the same access who could do this clandestinely, but that could cause all sorts of interpersonal rifts if the accused is innocent.
posted by bedhead at 8:07 PM on February 18, 2016 [3 favorites]
Not being familiar with current Exchange settings, I couldn't tell you the routes of access, but I highly doubt it is from gaining access to passwords. Administrators of systems have broad access to the data contained therein, so that is probably how they are gaining access. The only way I can see to investigate this without involving the person accused is to hire an outside IT audit firm, unless you have other IT people with the same access who could do this clandestinely, but that could cause all sorts of interpersonal rifts if the accused is innocent.
posted by bedhead at 8:07 PM on February 18, 2016 [3 favorites]
Depending on the precise details of your infrastructure, there may be no reliable, 3rd party verifiable audit trail, especially if the alleged offender has administrator-level access to relevant systems, maybe even set them up themselves. And even then, I don't need server level access to snoop your email -- I just need access to a device where you read your email, or perhaps access to an insecure network that your mail traverses. Or to read the printout you made and then left on your desk. Maybe I issued your password and you never changed it.
The best evidence is more likely to come from testimony that the IT person knows stuff which they could not have learned from any other means.
It is probably more fruitful to quietly investigate why/how your trusted source believes this to be true. If nothing else, a serious loss of trust like this warrants such inquiry.
posted by i_am_joe's_spleen at 1:00 AM on February 19, 2016 [4 favorites]
The best evidence is more likely to come from testimony that the IT person knows stuff which they could not have learned from any other means.
It is probably more fruitful to quietly investigate why/how your trusted source believes this to be true. If nothing else, a serious loss of trust like this warrants such inquiry.
posted by i_am_joe's_spleen at 1:00 AM on February 19, 2016 [4 favorites]
The question needs to be asked of the accusing employee about how they reached that conclusion to determine how they reached their conclusion. What are the "tells"?
Is the knowledge available elsewhere (from a committee/professional relationship that reporting employee is not privy to?) Could the alleged snooper observed c-suite behavior and drawn their own indiscreet conclusions?
It's also a reminder to be judicious about what belongs in work email, personal email, and what is handled verbally.
You could also hire a forensic person to do a security audit once you are confident that your initial inquiry merits this action, but you would be working with HR & legal. They would want to know if the complained of snoop indicators may be something like porn use or a relationship that indicates sexual harassment, which could muddy matters considerably, and result in more personnel actions.
posted by childofTethys at 4:16 AM on February 19, 2016
Is the knowledge available elsewhere (from a committee/professional relationship that reporting employee is not privy to?) Could the alleged snooper observed c-suite behavior and drawn their own indiscreet conclusions?
It's also a reminder to be judicious about what belongs in work email, personal email, and what is handled verbally.
You could also hire a forensic person to do a security audit once you are confident that your initial inquiry merits this action, but you would be working with HR & legal. They would want to know if the complained of snoop indicators may be something like porn use or a relationship that indicates sexual harassment, which could muddy matters considerably, and result in more personnel actions.
posted by childofTethys at 4:16 AM on February 19, 2016
If you are contemplating firing the person or otherwise disciplining them in a way that would cause them to sue you, I would *strongly* advise that you engage your legal team with a professional, neutral computer forensics company to determine the best path forward. A poorly done internal investigation could damage or muddy the evidence enough to cause you legal headaches if they sue you.
The best evidence is more likely to come from testimony that the IT person knows stuff which they could not have learned from any other means.
If you want to go the non-technical path, you can take this one step further and plant false information that would stimulate a reaction in the executive's e-mails and see if there's a reaction. But again, consult your legal team before doing anything further.
posted by Candleman at 4:18 AM on February 19, 2016 [1 favorite]
The best evidence is more likely to come from testimony that the IT person knows stuff which they could not have learned from any other means.
If you want to go the non-technical path, you can take this one step further and plant false information that would stimulate a reaction in the executive's e-mails and see if there's a reaction. But again, consult your legal team before doing anything further.
posted by Candleman at 4:18 AM on February 19, 2016 [1 favorite]
An Exchange admin doesn't need user passwords to access user data. Yes, they could cover their tracks. If you're a small company, the Exchange admin will know you're investigating this.
This won't be a technical investigation. Start with the "trusted employee". How and why would they know this? Go from there. Make sure you document your investigation.
posted by LoveHam at 4:20 AM on February 19, 2016 [1 favorite]
This won't be a technical investigation. Start with the "trusted employee". How and why would they know this? Go from there. Make sure you document your investigation.
posted by LoveHam at 4:20 AM on February 19, 2016 [1 favorite]
What is your standing here? Your role in relation to this situation is going to largely determine what actions you can (and should) take. It's not clear from your question exactly how this situation involves you.
posted by Anticipation Of A New Lover's Arrival, The at 5:43 AM on February 19, 2016
posted by Anticipation Of A New Lover's Arrival, The at 5:43 AM on February 19, 2016
If you are contemplating firing the person or otherwise disciplining them in a way
You can't "discipline" a sysadmin who's breached the trust of the organization. You have to fire them.
posted by mhoye at 6:18 AM on February 19, 2016 [2 favorites]
You can't "discipline" a sysadmin who's breached the trust of the organization. You have to fire them.
posted by mhoye at 6:18 AM on February 19, 2016 [2 favorites]
Response by poster: Thank you all for the responses. It clarifies a lot of what I suspected could be done.
Though the IT person may have administrative abilities to read email they certainly were not cleared to do so as there is no current investigation on the executives warranting that action and if proven this is indeed the case they would definitely be fired.
The employee who reported the breach, though trusted, came by the information through a chain that is too long for my liking. Also, it was brought to my attention because of my direct line to the C-level. I had hoped there were a few technical options to do a little digging before working down that chain. If the accusation holds up (i.e. the story stays the same and therefore should be taken seriously), I'll have to go to the CEO, report the story, and suggest the options mentioned above. My personal preference would be to get outside help in the guise of an audit (and as frumiousb adds, it's not really a guise as I really think a real audit is warranted anyway), but that would need the CEO's blessing. If the CEO decides against it, then we either have to set up a trap and see what happens or go for a more direct route. Regardless, all three broad options will require HR and legal to be in the room. Keeping this quiet will unfortunately be hard as this is a small company, but hopefully it can be done.
Again, thanks.
posted by linux at 7:58 AM on February 19, 2016
Though the IT person may have administrative abilities to read email they certainly were not cleared to do so as there is no current investigation on the executives warranting that action and if proven this is indeed the case they would definitely be fired.
The employee who reported the breach, though trusted, came by the information through a chain that is too long for my liking. Also, it was brought to my attention because of my direct line to the C-level. I had hoped there were a few technical options to do a little digging before working down that chain. If the accusation holds up (i.e. the story stays the same and therefore should be taken seriously), I'll have to go to the CEO, report the story, and suggest the options mentioned above. My personal preference would be to get outside help in the guise of an audit (and as frumiousb adds, it's not really a guise as I really think a real audit is warranted anyway), but that would need the CEO's blessing. If the CEO decides against it, then we either have to set up a trap and see what happens or go for a more direct route. Regardless, all three broad options will require HR and legal to be in the room. Keeping this quiet will unfortunately be hard as this is a small company, but hopefully it can be done.
Again, thanks.
posted by linux at 7:58 AM on February 19, 2016
could this person, being in that position, be able to cover their tracks?
Of course.
if so, can THAT be determined?
If it can, you needed a better netadmin anyway.
posted by flabdablet at 10:58 AM on February 19, 2016
Of course.
if so, can THAT be determined?
If it can, you needed a better netadmin anyway.
posted by flabdablet at 10:58 AM on February 19, 2016
One other option, in addition to the technical solutions (auditing, encryption, limited rights and so on) is to set a trap.
e.g. like would be done in a cold-war spy thriller, something along the lines of this.
https://www.quora.com/Hypothetical-Spying-Scenarios/What-are-good-ways-to-identify-a-mole-in-an-organization-who-is-feeding-sensitive-information-to-the-competition
I don't know if it will provide the level of evidence you want but could help you confirm your suspicions without tipping off the suspect?
posted by joz at 8:16 PM on February 19, 2016
e.g. like would be done in a cold-war spy thriller, something along the lines of this.
https://www.quora.com/Hypothetical-Spying-Scenarios/What-are-good-ways-to-identify-a-mole-in-an-organization-who-is-feeding-sensitive-information-to-the-competition
I don't know if it will provide the level of evidence you want but could help you confirm your suspicions without tipping off the suspect?
posted by joz at 8:16 PM on February 19, 2016
Call me a bastard, but an interesting holding manouevre would be to go to the suspect IT person, and say "can you please help us, we're really concerned that someone is leaking our executives' email". If they are in fact on the level, they'll help you; and if they're not, they'll likely stop leaking, lest they be found, and still help you. And then you bring in the trusted 3rd parties to provide assistance.
posted by i_am_joe's_spleen at 12:14 AM on February 20, 2016
posted by i_am_joe's_spleen at 12:14 AM on February 20, 2016
[...] set a trap.
Call me a bastard, but [...]
No. Just no.
posted by mhoye at 5:06 AM on February 20, 2016
Call me a bastard, but [...]
No. Just no.
posted by mhoye at 5:06 AM on February 20, 2016
« Older Show Google tasks on my phone calendar (iOS... | Emotions for grown ups and toddlers Newer »
This thread is closed to new comments.
First, email in most incarnations is not a secure technology. Most email is not encrypted and passes over networks "in the clear" meaning anyone with access to the network over which the data passes could potentially intercept or "sniff" the contents, without necessarily being an administrator. There are a lot of ways this can be done by anyone with physical access to your network (including any unencrypted wifi). Exchange can be made more secure for some traffic, but I'm no Exchange expert (perhaps someone who is could comment), nor do I know how hardened your email infrastructure is.
Second, in order to be an email administrator, to guarantee a certain level of service, and to track down problems that pop up from time to time, some amount of access to see mail contents, at the very least mail headers or the "envelope" of messages is often necessary. This is not to say that private third-party email should be read without a business need, but that the access is necessary in the performance of some email administration duties. Accordingly, server access to see email records should only be granted to people with said business need; to grant said access without due consideration to need and trust-worthiness is a failure of management and oversight. Your question didn't indicate if this IT person has a business need to assist with email-related problems. It also didn't mention how the "trusted employee" is qualified to make this distinction or made this discovery.
Third, any forensic analysis would likely require giving more people access to the records you are trying to protect, and would probably be difficult to prove conclusively in any event. Most tracks can be covered by someone savvy and determined to cover them.
My recommendation here would be:
1. make sure you have a documented corporate policy respecting ethics and access to electronic records, that the policy dictates penalties for failure to adhere to those ethical standards, and that anyone with access to those records signs off on having read and acknowledged those policies.
2. the number of people with access to any servers storing potentially sensitive electronic records is kept to the absolute minimum required to ensure business continuity, that the list of people with this access is made known to the organization as a whole, and that there are checks and balances in place to make sure there is oversight and accountability.
3. that the whistle-blowing person is technologically savvy enough to understand the difference between abuse and business need, and has strong evidence to support any accusations of the former.
4. that administrative passwords are changed frequently, users with access are audited periodically, and removed promptly when they leave the organization.
5. that all your wireless network traffic is encrypted.
6. that your company is following security best practices across the board. I'm sure there are many companies that can consult with you on that.
7. that everyone understands that nothing sensitive should ever be shared via email, as it is not a secure technology.
I hope that helps.
posted by tempestuoso at 5:53 PM on February 18, 2016 [10 favorites]