Acceptable Use Policies (AUPs) may not top the list of the most exciting information security topics, but AUPs play an important role in educating employees about what type of behaviour is permitted when using company assets. Employees or users operating outside of the rules can increase the likelihood of:
- Accidental data breaches. Employees copying sensitive data to their personal cloud storage accounts may lead to the data being shared outside your organisation.
- Business operations disruption. Ransomware introduced via inappropriate web browsing could erase an employee’s work, disable their computer or even bring down your organisation’s entire network.
- Reputational damage. Any data breach that becomes public will be tried in the court of public opinion, and is likely to damage your brand—especially if it could have been easily prevented.
“It says here that the threat’s coming from inside the office.”
AUPs help to limit the risks posed to an organisation by the actions of employees, consumers, contractors and vendors. Anyone that interacts with your company’s IT infrastructure should know exactly what is expected of them through the AUP. The purpose of the AUP is to safeguard the business and its property, both physical and intellectual, from the risks posed by anyone who uses your systems.
A good AUP should cover both the inadvertent and intentional actions of these users. The policies are best described in plain language, rather than endless pages of legalese. If you want an AUP to gain acceptance, it has to be well understood by the target audience. Whether dealing with a minor infraction or a rogue employee, your HR and legal teams will thank you for having the clearest possible definition of what behaviour is permitted.
It’s also important to set out exactly how compliance with the AUP is monitored and enforced. Monitoring could include an anonymous tip-line or email inbox, a program of random audits, web proxy logging, Endpoint Detection and Response (EDR) systems and network forensics techniques. It’s important for your users to know that AUP compliance is being monitored continuously, as it reminds everyone to be mindful of the policy. In some cases, its existence alone may be enough to deter users from breaching the policy.
You should avoid allowing exceptions to the AUP. Too many organisations have an AUP on paper, but grant exceptions to nearly every person in management and leadership positions. Remember, a practical defence has to be 24/7 and all-encompassing. An efficient attacker, on the other hand, only has to find one point of weakness to gain entry. Additionally, any user witnessing a violation of the AUP is less likely to report the infraction if they’ve seen previous violations go unpunished. Employees raising their concerns about other users’ behaviour or suspected insider threats can stop a negative situation from becoming much worse.
Disgruntled employee—the Absolute Zero
A case investigated by the Verizon Threat Research Advisory Center (VTRAC) Investigative Response Team, and featured in the 2017 Data Breach Digest (DBD), involved an insider using their administrative privileges to take control of other users’ system accounts. The user was a manager who had become disgruntled during an organisational restructure. The manager was collecting sensitive information to transfer and use at a new job.
A log analysis which tracked suspicious application failures revealed that the user had logged into a server prior to the errors being reported. During a subsequent interview of the user, the manager admitted logging into multiple email servers to collect confidential data for personal use. A deeper investigation revealed that mass deletion commands had been scheduled to run in the future, at a time designed to cause maximum disruption to the business.
After the incident response activities had concluded, the victim organisation conducted a post-action review. The lessons learned included maintaining a “need to know” policy regarding company restructuring, having an action plan to mitigate vindictive behaviour by those affected, and working closely with HR and legal teams throughout the investigation.
Having an AUP in place—one which clearly restricted unauthorised account access and listed safeguards such as auditing or alerting—may have dissuaded the manager from malicious actions in the first place.
“I’m going to allow it.”
While it’s important to list what is unacceptable in an AUP, it’s also advisable to offer alternatives to these forbidden actions, and provide some examples of usage that is permitted. This is especially important in environments where corporate assets are not used solely for business purposes, or where employees might expect a certain amount of leeway in their internet usage and time management. Some common examples include:
- Using a company smartphone to check the weather on the way to a meeting. No-one wants to get caught in the rain.
- Reading the headlines of a popular news site during a lunch break. Reputable mainstream new sites tend to be relatively low-risk.
- Listening to music through a legitimate streaming service or online radio station when working late. The additional bandwidth used may be less of an issue if it’s outside office hours.
It’s important to strike the right balance between strong security and practicality for employees. Often the best policies are those that improve security, without causing too much trouble for users who do follow the rules. Examples of things that might not be permitted include:
- Streaming video during major sporting events. This may consume bandwidth needed for legitimate business functions.
- Checking personal emails using a work computer. This could introduce an unmonitored attack vector for phishing, ransomware and other malware.
- Storing company data on personal storage. Data breaches or theft may occur from incorrectly configured or maliciously used personal storage accounts. Corporate-owned storage tends to be more secure, because security features such as Two-Factor Authentication (2FA) and storage encryption can be implemented.
The more difficult aspects of AUP
Once you have some scenarios of authorised and prohibited user activities enshrined in your AUP, it’s time to tackle some trickier issues.
For example, consider which employees need to use social media for their roles. The AUP should cover users that need access to post on behalf of the company, as well as those who do not require direct access. This is often going to be role-based, so it’s important that employees know exactly what is appropriate and what is expected of them when it comes to social media use.
For mobile devices, consider which devices may be used for business functions and in what situations. For organisations that issue company-owned mobile devices this may seem obvious, but when bring your own device (BYOD) policies are implemented, it can become more complicated. Make information available from these devices through mobile device management (MDM) platforms, but check that the level of data being collected matches the content outlined in your AUP. The AUP should not be seen solely as the responsibility of IT support, but should involve HR, legal and IT security stakeholders. It should also include references of which devices may be used to access and store any given information.
Defining acceptable use of company resources, devices and information up front can save time for a company’s IT staff, security group, HR team and legal counsel. It may take some time to create a comprehensive AUP for your organisation, and it should ideally be reviewed periodically so your policy keeps up with changes in your IT infrastructure. However, compared to the cost, damage and upheaval of a data breach, creating and maintaining a good AUP is a worthwhile investment.
About the author
Chris Tappin is an expert witness in Computer Forensics (CF) and holds a BSc Hons in Forensic Computing. Chris has Law Enforcement CF experience and is a Certified GIAC Network Forensics Analyst and EnCase Certified Examiner. Chris is a Principal Consultant in the VTRAC Investigative Response Team, and helps Verizon clients with Computer Forensics and Incident Response (CF/IR) incidents such as data breaches, PCI investigations and insider threats. Chris also delivers proactive services, such as training and tabletop incident simulations.