Managing Network Security

Worker Monitoring

by Fred Cohen

Series Introduction

Computing operates in an almost universally networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.

We all monitor our workers

If you don't monitor your workers, how can you provide adequate feedback on their job performance? You cannot. There has never been a question about whether or not to monitor workers in some way, whether it be based on net output, attitude, or the hours they are at work, monitoring is fundamental to performance evaluation. The question has been and remains, how much of what to monitor and for what purposes.

There are three basic reasons for worker monitoring. (1) To measure their job performance, (2) to limit legal liability and detect, track down, and stop illegal activities, and (3) to measure and improve system and network performance and debug network problems.

There are, of course, a large number of different places that monitoring can be done. In fact, almost any location within a system or network can be valuable in monitoring something or another. The most common monitoring points are (1) a keyboard, (2) a disk, (3) a network interface, (4) a network infrastructure point such as a firewall, gateway, router, or switch, (5) a telephone, (6) a wire closet, (7) a telephone switch, (8) a trunk line, and (9) an entry or exit location. Each of these locations apply to different sorts of monitoring for different purposes.

What where?

The table below may be helpful in figuring out what kind of monitoring works best where:
Location worker performance legal/security purposes system performance
keyboard no yes no
application yes yes no
interface no yes yes
infrastructure yes yes yes
telephone yes yes no
closet no yes no
switch no yes yes
trunk no yes yes
entry/exit yes yes yes

Keyboard monitoring is generally done by a small program inserted into the operating environment at the driver level. This intercepts all keyboard input (depression and release of each key) and records it along with a time stamp. IT can then be replayed as desired. It is also possible to record keyboard input by placing a device between the normal keyboard port and the keyboard connector or placing an interception capability in the keyboard itself.

Application monitoring is generally done by the software components of the application, by the server in a client/server architecture, or by the operating system through the use of audit trails. This type of monitoring is generally tailored to the application or the operating environment, however, some standard audit information is retained by most operating systems. In addition, items like file date and time stamps and other similar operating environment monitoring information is standard in almost every operating environment and is necessary in order for most current systems to function properly.

Interface monitoring takes place at interface points between user systems and infrastructure systems. Typical monitoring includes TCP packet observation and serial port monitoring. These can be done by hardware, software, or combinations of both.

Infrastructure monitoring is used in cases where large numbers of systems are being observed relative to their network behavior. A typical example is the use of special systems to detect the downloading of pornographic material from the Internet or the use of a special purpose system to detect release of trade secrets over connections between business partners.

Telephone monitoring typically involves the placement of a hardware device within a telephone. These are the 'bugging' devices you see placed in handsets on television shows. In the case of web-based telephony, this is done either at the hardware or software level in the computer being used for the telephone calls.

Closet monitoring involves the placement of monitoring devices in the wire closets and other similar locations where wiring is placed for communication between rooms, floors, and buildings. Most buildings have wire closets located throughout the facility. They are used to add, remove, or repair telecommunications connections between equipment placed throughout the facility. Hardware devices are commonly placed in or near wire closets for monitoring purposes.

Switch based monitoring applies primarily to line or packet switched networks in which there are switching devices used to route information from place to place. Telephone switches, for example, commonly have provisions for remote monitoring of telephone microphones, for monitoring of calls in progress, and for recording such calls. The same sort of mechanisms are often available in computer switching devices.

Trunk lines are commonly used for high volume inter-site communications and as such are sometimes used for monitoring communications between sites. They tend to be encoded for efficient use of bandwidth and relatively high speed, so specialized equipment may be required for this sort of monitoring.

Entry and exit points are commonly monitored for various purposes, including but not limited to firearms, explosives, backup tapes, computer hardware, cell phones, drugs, and a wide variety of other 'contraband'. Similarly, other facility locations may be monitored for a wide range of purposes, including limiting liability.

Naturally, for legal and security purposes, monitoring can be done anywhere it can have other uses, but the monitoring used for system performance is almost never the same as that used for worker performance.

Space and time

Knowing what you might want to do is not the same as knowing what you really can and cannot do. Usually, the limits of monitoring come about as a result of time and space issues in the monitoring technology.

The space and time issues are limits brought about in high volume situations. The reason they are issues is because the available storage space and analytical capability is often more limited than the available data to be monitored and analyzed. To give you a sense of this, consider the disk requirements for monitoring a typical 100Mbps LAN cable. At 100 million bits per second, that's about 10 million bytes per second, or a gigabyte every 100 seconds. So a 20 gigabyte hard disk will get filled in under an hour if you try to monitor all of this traffic at full bandwidth. The is clearly not a viable option for most circumstances. On the other hand, a really fast typist can type at a rate of about 150 words per minute, or under 1,000 characters per minute. At 60 minutes per hour, 24 hours per day, that comes to one floppy disk of data per day (about 1.44 M). A 20 gigabyte disk can hold about 15 million days of typing at this rate. So if we choose to monitor keystrokes, disk space is almost never an issue.

Time for analysis is also at issue. Simple analysis, like counting the number of characters typed or the number of letters printed, is simple to do, but not very effective in most cases. The effectiveness of monitoring is generally determine by the application. A good example of long analysis times is the analysis of web traffic to generate profile information on individuals who view web pages to determine whether the web pages they visit are work related. Examining all of the user activities for content takes a lot of processing power, particularly as the volume of traffic goes up, and particularly if observations are done from the infrastructure rather than at the desktop.

Effective Monitoring

Monitoring worker performance is generally most effective when a clearly identified performance goal is easily measured. For example, orders processed per hour, order amount, and customer acceptance might be easily measured properties of semi-automatic order processing systems. But monitoring an engineer in terms of number of boards designed may be a poor performance measurement and hard to capture and analyze.

Most of my experience in worker monitoring has been from the system performance and legal perspectives, and in my experience, each monitoring activity involves customization based on the specifics of what is being sought. In the case of system performance monitoring, instrumentation is generally done at the disk level for applications and at the network level for network traffic. Placement of sensors is not much of a problem in this context because the people who work in the environment are generally supportive of better performance.

When it comes to monitoring for legal or security purposes, the situation changes fairly dramatically.

While these changes may seem simple, in fact, they drive covert monitoring technologies into areas that overt monitoring would never pursue because they are far too space and time intensive or overly complex. They are only used because of lack of choice.

What about the law?

Just because you can, doesn't mean you should are legally allowed to, or that you should do it. I will more or less ignore the moral and ethical issues in this article, but suffice it to say that looking at other peoples' information out of curiosity is not what I would consider to be reasonable or prudent. The only real basis for examining information is that it meets some goal that is sufficiently important to justify the invasion of privacy implied by it, and in those cases, it seems to me that looking at anything beyond what is necessary to get the job done is over the bounds of fair and reasonable. Of course the legal standard may be quite different from that.

I am not a lawyer, and anything I say here should not be construed as legal advice. Having said that, there are two basic kinds of legal searches of information, and of course this varies dramatically based on jurisdiction. Type 1 is a search based on permission of the owner. Type 2 is a search based on some legal warrant.

For somebody who is not a lawyer, I seem to run into a lot of legal stuff along the way. It's mostly to keep myself from getting into legal trouble in my work. In the case of most of my readers, you can ask your local legal eagle about these issues, and you should do so in the process of forming your policies and contracts with employees.

One last note here. In today's business, acquisitions and other corporate activities tend to make things like proper policy and notice hard to do and likely to be out of compliance. If I were you, I would be real careful to make sure that the monitoring policy you have in place is all it should be. Otherwise, you may go to jail for doing illegal wiretaps, be sued for violation of privacy and lack of notice, or worse yet, miss having all of those wonderful conversations with your lawyers, who are lonely all day because nobody wants to talk to them.

The other major use of monitoring for legal purposes is to mitigate liability. Many folks now a days maintain that if you do not monitor worker and system activity, you are not meeting the standards of due care required for a modern business. For example, not monitoring a dark parking lot at night for criminal behavior may subject you to a law suit if an employee get assaulted. Similarly, failure to monitor networks for pornographic traffic may be used against the employer in a sexual harassment suit, and failure to monitor for security breeches in computer systems may be grounds for a shareholder suit. Similarly, allowing employees to release trade secrets or other confidential information subjects the employer to legal liability because the employer is generally responsible for the actions of employees when they are working (and often during breaks from work as well). Monitoring is often the only available means to detect and counteract these activities.


Worker monitoring is not only feasible and reasonable, it is essential for any substantial business and fundamental to the evaluation of employee performance.

The technologies involved in monitoring cover a wide spectrum, and there are substantial technical issues involving such things as resource requirements, covert and overt actions, and placement, remote control, and operation of monitoring devices.

The extent to which monitoring becomes invasive of privacy is a core issue to be addressed, and it is generally addressed through a combination of corporate policy, notice, employment and similar contracts, and prudence in the monitoring process.

About The Author:

Fred Cohen is exploring the minimum raise as a Principal Member of Technical Staff at Sandia National Laboratories, Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection, and a practitioner in residence in the University of New Haven's Forensic Sciences Program, where he educates cybercops on digital forensics. He can be reached by sending email to fred at or visiting /