7

I just attended a recruitment session for a major healthcare provider in the United States. The presenter, a high-ranking member of one of their IT divisions (not security specifically) mentioned that they use a lot of security software on their client machines, including keyloggers. This person may have misspoken, but there were other members from their various IT departments present, and none of them issued a correction.

This caught me off guard. While I understand that employers, especially in an industry such as healthcare, have an obligation to protect their information from improper disclosure and their machines from abuse, this seems like a step too far.

Is this behavior common in the information security world? A vast majority of the information I found was, as expected, related to the detection, removal, and circumvention of keyloggers. I did find this question (closed as too broad) which has an answer saying that this is uncommon, but since that was only tangentially related and mentioned in passing by one person, I would be much more interested in answers from industry veterans.

schroeder
  • 123,438
  • 55
  • 284
  • 319
ndm13
  • 245
  • 1
  • 6

1 Answers1

5

It's hard to justify whether it is common or not, as it's unlikely one could come up with a reliable statistics.

What is for sure is that such an approach clearly exists. A security solution applied by a company depends heavily on its threat model, and there is such thing as insider threat (basically, when a malicious employee steals or modifies your data on purpose). Some organizations take it very seriously and choose complicated paths to deal with it, including permanent video recording in all rooms of their back office, screen recording, or, yes, key logging.

As a person who have once seen a surveillance camera in a restroom of a company also related somehow to healthcare by the way, I'm not surprised at all by what you've seen today. Healthcare companies always try to take the privacy issues of their customers very seriously, sometimes even overcaring about those.

Keylogger, which is, yes, usually meant to be a malware, is just a tool here. As with a gun, you can use it to steal something or to protect yourself. Guns don't kill people, people do; and keyloggers don't steal your data. Criminals do.

All that being said, under most circumstances for most of the aspects of the insider issue there are more effective solutions, and there are of course numerous pitfalls of such an approach, ranging from privacy issues (leading finally to low workforce motivation) to assumed inefficiency of such solutions without proper SIEM and UEBA systems, properly integrated with each other. See, when you're collecting all the key strokes from all your workstations, it's a huge amount of data a human can't look through on a regular basis, so you basically need to thoroughly analyse typical user behaviour models with some algorithms to track down what's unusual. This is a task generally rather hard to solve.

Once again, it depends on a threat model whether an organization will accept all the challenges, some of which are outlined above, and go this way or will stick to other options. Of course, if this way is too much for you, you're probably free not to accept a job offer.

(There's a chance by the way the organization you're talking about doesn't really accept those challenges and is just tricking you into thinking you're being watched and recorded, while in fact you're not. You'll probably never know that for sure, unless some amount of binge drinking with members of your information security team will happen eventually.)

ximaera
  • 3,395
  • 8
  • 23
  • There is another use case: auditing. By using keyloggers, the company can track what was done with the data. It can be used as a DLP-type solution. I have used keyloggers this way. – schroeder Mar 13 '18 at 22:50
  • This is a really good answer. I'm probably going to accept it tomorrow, barring an answer from someone who has first-hand experience with keyloggers as security devices. I kinda wanted to avoid the "it's very possible, but I don't know" argument, but that may be the best one there is if nobody here has actually deployed a keylogger. – ndm13 Mar 14 '18 at 17:25
  • @ndm13 I don't quite understand what you want :-) I had such an experience, I've outlined how that software is used generally and what are the reasons. But what you were asking is basically worldwide statistics about usage of keyloggers? Nobody has it, except (maybe) for the likes of Gartner etc., and they usually don't give out such things for free. – ximaera Mar 14 '18 at 17:35
  • I was hoping for someone to step forward and say that they've worked on such a system, which I haven't seen anyone do (and at this rate likely won't). In absence of first-hand experience, your answer is an excellent option, since it covers the motivation, reasoning, and logistics of implementing and using such a system. The only downside is that we still don't have any evidence that this is a thing that happens. I hope that clears things up. – ndm13 Mar 14 '18 at 17:40
  • Or, for that matter, a counterargument: having an industry veteran with decades of experience in banking, healthcare, or other highly regulated industries say that they've never seen this anywhere would be a great addition. – ndm13 Mar 14 '18 at 17:43
  • 1
    @ndm13 I've seen that live, yes. And I know a couple of companies (won't advertise them here) whose main expertise is selling such solutions. The very fact that both companies are still in business after a bunch of years pretty much speaks by itself. – ximaera Mar 14 '18 at 17:45
  • I didn't see mention of that in your answer, but that adds a lot of credibility. Thanks for the detailed response! – ndm13 Mar 14 '18 at 17:47