Disciplining for Spyware

[Kjonnnn]

This could go either here or the ethics forum I think.

Here's my issue. My IT colleague here is on a campaign to penalize users if spyware is found on their computers. Our users are connected to the internet via our LAN. They use the internet for business purposes. We don't have users who abuse their net privileges or download or install alot of stuff on that computers. I'm helpdesk, so I get to see what's on the users' computers firsthand. In fact, most just know how to do what they are suppose to do. But my colleague borders almost on irate when spyware is found on a computer. It doesn't have be dozens and dozens of instance of spyware found, just one sets him off. Insisting that the user did something and should be penalized.

Alot of spyware stealthily installs itself on the computer without any malicious assistance from the user. I regularly run adware and spybot on computers when I get a chance. I know I've gotten spyware on my computer and I'm like ... where did that come from?

So does it make any sense to discipline a user if spyware is detected on their computer?

 

[sleipnir214]

It does not seem ethical to me to discipline an employee out-of-hand, particularly, as you have said, in light of the fact that spyware can be installed on the machine without the knowledge of a user. As I recall, wasn't there at one time a worm being spread through banner ads on legitimate sites?

If the computer has other software which requires active user participation to install and also has spyware, then I could see disciplining the employee. But this must be handled on a case-by-case basis, not through some draconian edict.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[aquias]

This is a difficult question to answer. If users are to be penalized, make certain that an internet useage policy is in place prior to penalizing anyone.

Now, onto my thoughts. This is purely subjective and should be taken on a user by user case. First off, be paranoid and assume each user "abuses" their net privileges, even if it is just to check their E-Mail. They're going somewhere not related to the business. I'll be honest, it should be expected and curtailed to a degree (IE No E-bay at work, but checking up on news or bank accounts now and again is acceptable).

Whether or not a user should be reprimanded needs to be based on several things.

1. What is the spyware that has been installed? Is it something offensive that you can only pick up at certain kind of sites? (Check history and the like).

2. How much is on the system? If a user has over a set limit of spyware, there's probably a problem with how often they surf or where they surf.

One or two pieces of spyware can easily be picked up on a wrong left click on a Google search. It is overzealous to penalize people for such a small number found on a system. And, dependent upon their jobs, they may pick up a lot more spyware (researching new products and the like could lead to a great deal of additional spyware).

Actually, as I write this, punishing for spyware is lacking in any foundation for punishment. You lack any proof that the person has taken wrong actions to obtain the spyware.

I hate to ask this, does he understand how spyware is installed?

 

[tazuk]

must be handled on a case-by-case basis

Based on my experience I agree wholeheartedly.

At my last place of business I was the poor schmoe who did all the spyware removal. In general we assumed it was down to poor surfing habits, and attempted to educate the user involved on how to protect (and where appropriate) clean their workstation using automated tools.
In one case we did have to threaten removal of web access for one user who was downloading "free" screensavers with the New Dot Net parasite attached (which scrambled attempts to access our internal web systems, leading to support calls and wasted man hours). The threatened removal (on the 3rd time around) was sufficient to ensure compliance.

TazUk

Blue-screening PCs since 1998

 

[bcastner]

I am with aquias on this: "I hate to ask this, does he understand how spyware is installed?"

My own comments:

. There are a lot of "false positives" with AV and malware scanners; I would not risk an employee termination on the basis that an AV or spyware scan was positive;

. There is in most malware scans nothing more than relatively benign cookies. They are easily dealt with, but should not be a cause of major alarm or an employee termination. You see this nearly hysterical reaction to the Microsoft Antispyware Beta, which (currently) does nothing about cookies, and someone wondering why SpyBot or AdAware or similar finds "...over 900 spyware threats missed by the Microsoft product." Sheesh. Go ahead, make some attorney happy when you terminate someone because of a cookie.

. There is a real problem with what the spyware community calls "drive-by" malware and hijacking. See Eric Howes' article on this issue:

https://netfiles.uiuc.edu/ehowes/www/dbd-anatomy.htm

Because of some planned suits, most sites offer at least on prompt about installing an ActiveX control. However, not all do. Myself, who certainly knows at least a little better, did a Google for a Kelly Theriot tip I had rememembered but could not find quickly on her site. (Her site is great, by the way:

http://www.kellys-korner-xp.com/xp.htm

) but I googled and clicked on the first link that seemed appropriate. It took me three plus hours to clean up my system from what was installed in seconds from a "phishing" redirector.

While it is without doubt that a lot of malware can be traced to pilot error -- opening unknown email attachments, perusing questionable sites, agreeing to the installation of ActiveX controls -- it is not always thus. There is a lot of unintended malware that gets installed.

. Finally, has the company provided to all users:

-- AV software, with effective plans to keep definitions up to date?
-- Non-virus anti-malware software, with effective plans to keep definitions up to date?
-- A regularly scheduled period for workstation cleanup, including comprehensive virus and malware scans, elimination of temp folders and deleted files, and a defragmentation;
-- A clear company policy about appropriate use of the internet, and clear rules for grounds for termination of employment.

Otherwise your fired employee is going to make some attorney a very happy man or women.

 

[Kjonnnn]

Funny it should mention. The issue that brought up this last instance up was "newdotnet." It took me a day to figure that one out. It didn't show up with Adaware or Spybot. I found it using HiJack.

- We are behind a fire wall.
- All the antivirus definitions are uptodate automatically
- The company blocks alot of sites, including shopping and porn and outside email (AOL, Yahoo, Gmail), and sites I just dont know why they block.
- Everyone is aware of the net usage policy.

I tend to believe the just by being connected to the net, and using the net for their business purposes, every now then some spyware is going to show up, without action from the user (can u say Precision Time). Please correct me if I'm in error.

 

[2ffat]

OK, here are my thoughts. First, you will have to get HR (human resource) and TPTB (the Powers that Be) on your side. Without their backing of your plan, nothing will happen. This may be harder than it sounds. It's been my experience that some of the worst abusers of the internet are the bosses.

Next, check with HR to see if they already have a policy in place for "other" offenses." At our business, if an unsafe or abusive condition occurs because of an employee's action or inaction, a written and verbal reprimand is given for the first offense, a three day, unpaid "time-out" is given for the second, and termination for the third. If such a policy exists, see if it can be applied for internet abuses.



James P. Cottingham
-----------------------------------------
^{I'm number 1,229!
I'm number 1,229!}

 

[aquias]

Everyone is aware of the net usage policy"

You may or may not have this knowledge, but have they signed a document regarding the net usage policy?

If not, then you have no leg to stand on against a law suit, people can claim ignorance and you have no way to defend against it.

And, if sites are blocked, I'm guessing you can see who attempted to access which site. It seems to be a much safer (and fairer) policy to base any action taken against a user based on hard evidence of their surfing habits (IE. A log file that shows they've tried to access various porn sites, shopping sites, etc...).

See if you can get your co-worker more focused on this direction vs attacking users with spyware. Bill is correct, you'll have several lawsuits and anger the user community at large, making any future changes much more difficult.

 

[Kjonnnn]

Clarification.

Every one had to sign off on the policy.

Its not a matter of people trying to access certain sites, it's just if adware or spybot is run, and it finds spyware, he assumes they are downloading questionable stuff, and wants them disciplined.

 

[jimp56]

i agree with most of the comments above. disciplining as a blanket poilcy regardless of how the infection occurred is an unwarranted knee-jerk reaction. if they understood spyware could be installed regardless of surfing habits they would be less likely to want such a policy.

i say only if there is a proven track record of abuse - warn the employee and manager first, write them up to HR the next time, THEN discipline if it doesnt stop them.

that "drive-by" link indicates how easily it can happen (although a lyrics site is a questionable place to visit on a work pc).

 

[aquias]

Send your co-worker to

http://www.spywarewarrior.com

and have him read some of the blogs, and then follow the link to Ben Edelman's site (he has several articles and media files that show how spyware does "drive by" installations).

I can understand the knee jerk reaction your co-worker is having, if he doesn't fully understand where these programs come from. I hate to say this, but work on educating him as to how these items come to be on a persons ocmputer.

 

[Kjonnnn]

Thanks guys... but he's a know it all to the tenth degree.

 

[sleipnir214]

I think that your tack should be to research spyware that can get on systems without the knowledge of the user and without the user's going to an inappropriate site (spyware transmitted through ads is one possibility), when simply ask him, "What do we do in <that situation>? Won't firing them out-of-hand open up the company to litigation?"


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[N0ktar]

You should scan for spyware on his computer first and ask him how it got there

 

[aquias]

Go with sleipnir214's suggestion then. Follow this track of thinking and see how he wants to handle this or if he's even considered it.

Other options are to try and protect your users from themselves as much as possible, which I bet you're doing but try to go beyond normal practice.

MS Antispyware Real time protection
Spyware Blaster

Run all instances of IE and E-Mail through "Drop my rights" (do a google search on that phrase to find the application).

I utilize this configuration, and will be rolling it out soon, and have remained spyware free for over a four months on this system.

I'll keep trying to come up with ideas for you. I agree with your thought that this is a problem and will cause quite a bit of trouble for you and the company

 

[bcastner]

We should, by the end of the year, see "Managed" solutions, non-Beta, by large vendors. Microsoft, Symantec/Norton, and Shavlik have all announced plans; more announcements are likely after Microsoft releases Beta 2 of its stand-alone product at the end of the Summer.

It will become a defacto standard to have a firewall, an antivirus scanner, and a malware scanner installed.