Articles
Blogs
Kits
ForumsI wrote earlier about keyloggers, and why they should not be used. Now, I want to focus more on the business environment, and look at keyloggers from a security and confidentiality perspective.
In business, there is already enough data to keep secure and confidential. Servers store e-mail, files and transaction data for the entire company, each computer has files and e-mail stored on it, passwords are used to protect this data, and each employee types confidential information, or passwords to access that information, into a computer every day.
Using keyloggers in this environment introduces more security risks than it prevents. Granted, you could check that your employees are not e-mailing confidential data to a rival company, but in the end, the data collected from keyloggers is confidential, and may well contain corporate secrets, passwords, and other confidential or sensitive information.
With yet another data source to protect, the security task becomes that bit more difficult. There’s one more set of data to secure, to back up, to lock away in the tape safe. There are far more effective ways of monitoring data leakage, may of which can be preventative as well as simply alerting after the fact. Egress filters on firewalls and e-mail servers will help to protect corporate data much better than simply logging the sending process and dealing with it later. At that point, the data is out of the network, there is nothing that can be done. With egress filters, the traffic can be blocked before it leaves the network.
This is often easier than it sounds. Many businesses have a reception area, where the staff have access to the internal network. It is easy for a visitor to attach a hardware keylogger to such a system whilst the receptionist is answering the phone, or trying to find paperwork pertaining to their visit.
Furthermore, many businesses have openplan work areas, most of which are relatively easily accessible to the public. Again, attaching a keylogger goes mostly unnoticed.
To prevent this kind of attack, the access to the back of the computer should be restricted. Putting the systems into locked boxes, or locking them in a cupboard under the desk, with access only to the power switch and the CD / floppy drives, as well as perhaps USB for flash drives (but beware of data entering or leaving the building on flash drives) prevents someone installing a hardware keylogger without cutting the keyboard cable and splicing it in. This would take significantly longer, and be much more noticeable, than simply attaching a PS/2 keylogger to the back of the computer.
This solution does not prevent software keyloggers being installed. In some cases, this is difficult to prevent; the users may need administrative access to the computer. In most cases, however, it is possible to limit the access permissions of a user, and to limit the software which can be run. These steps will effectively thwart most attempts to log keystrokes on systems.
[...] On to Part 2 …. Print This Post Del.icio.us Article By Bryce W Bryce has been currently running a successful onsite computer repair business in Australia for 4 years. In his off time he works as an internet entrepreneur building and developing websites. Other Articles by Bryce W One Response to “The Ethics Of Key Loggers” 1 jme751 says: June 19th, 2007 at 12:37 am Great article! This is such a difficult topic to look at both sides of the issue. As an employee you feel like your privacy is encroached. As a parent, you are protecting your children. I’m sure a huge law suit will come about in the near future that will lay out the future of keyloggers for all of us. Leave a Reply [...]
Great points, well thought out. I can appreciate both sides of the argument, but for me… it boils down to what the customer wants. While I may agree with most points made thus far in both segments, it’s the client who pays the bill. If they want to monitor activity… I’ll set them up. It’s kind of like a pharmacist who chooses not to dispense contraceptives based on their personal beliefs. They’re entitled to their opinions, but it’s the customer who needs help.
I will do pretty much what the paying customer asks. If they want a key logger I’ll set it up for them, its their computer and its not illegal. If a boss wants to monitor his/her employees its their business and to a certain extent their right to do so, if you don’t like it then don’t work there.