(Updated on 02/22/2021)
You may already be familiar with the term keylogging, short for keystroke logging, which describes the recording of every key press on a computer keyboard, by software known as a keylogger. Keyloggers are most commonly associated with software that is surreptitiously installed on a computer, either by way of malware (such a Trojan) or by someone with physical access to the computer (a suspicious spouse, perhaps?). These keyloggers are used to covertly monitor a user’s activity in order to collect login credentials, financial account details, email/chat communications and other private information.
However, in this post I will be discussing corporate keyloggers – software installed by an employer on the organization’s computers in order to track the activity of users on those computers, for purposes such as IT security and regulatory compliance. In almost all cases, employees are well aware that the software is installed; in fact, informing employees that they are being monitored is required by employee privacy regulations in many jurisdictions.
What are the Purposes of Corporate Keylogging?
Corporate keyloggers track and record the computer activities of employees and contractors for three purposes:
- Real-time Monitoring and Alerting – To help administrators and IT security personnel ensure that they are immediately aware of any dangerous, suspicious or out-of-policy user behaviors, so that they can intervene and prevent harm to the organization
- After-the-Fact Investigation – To help administrators investigate system failures, data breaches and other inadvertent or malicious user actions during root-cause analysis and forensic investigations
- Compliance Auditing – To help auditors more quickly determine how well the company is complying with relevant laws and regulations, or who violated them
How is Corporate Keylogging Used?
Both because of employee privacy concerns (more about this later) and because of the impracticality of manually reviewing everything that users type, corporate keylogging data is not typically available for manual review. Instead, the data is used for:
- Keyword Searches – Administrators and auditors can search the keylogging data to instantly discover any time that someone entered a particular word or value related to an incident under investigation.
- Real-time Alerts – Rules can be defined to alert administrators anytime sensitive values entered, commands are executed, , and a potential insider threat detected.
What is Advanced Corporate Keylogging?
Basic keyloggers simply record the actual keystrokes typed by the user, but if you stop to think about it, the usefulness of this kind of keylogging is rather limited. Let’s say during an investigation, an administrator wants to determine who entered a particular IP address into a DNS configuration dialog or a VIP patient name into a search box.
There are numerous reasons why the actual address or name will never appear as a series of keystrokes in the records of a simple keylogger. These reasons might include: the user typed some wrong characters and pressed backspace while entering the text, he could have pasted in the text, he could have used UI controls to change the number in a text box or he could have just edited a portion of a text string to get a final result. The list goes on, but the point is made: trying to utilize a “dumb” series of keystrokes in searches or alert rules will frequently not result in relevant “hits”.
How does Advanced Keylogging Help Your Organization?
Advanced keylogging addresses all of the above-mentioned limitations and more, by allowing searching and alerting in all of the following circumstances:
- Text Editing – If the user edits existing text within a control, both the old and new versions of the text are captured.
- Partial Typing – Even if only one character within a block of text is changed, added, or deleted, the entire text, including the new character, is captured.
- Copy/Paste – Text pasted using the Windows Clipboard.
- Auto-Complete/Spell-Checking – The keylogger captures the entire text entered even when using aids that do not require typing the full text manually.
- Drop-Down Lists – Changed field values that are selected from drop-down lists.
- Checkboxes – Changed check box selections, including the description of the check box.
- Click/Spin Controls – Changed numeric values.
- Using Shortcut Commands – Commands entered in a CMD window using shortcuts, such as Tab and up/down arrows.
- Unix/Linux Commands – Including commands run by scripts and underlying system commands.
Because advanced keylogging captures all types of final text entries, text entries made using the mouse, and even the names of certain UI controls, it is actually far more useful than the word “keylogger” implies!
The Benefits of Keylogging & Video Recording
When a user activity monitoring system combines advanced corporate key loggers with video recordings of all user sessions, the value of the video recordings is dramatically increased.
Having thousands of hours of session recordings is nearly useless if the videos are not indexed and searchable: it is simply not practical to sit through so much video looking for particular user actions. Furthermore, the action of interest might never even appear on the screen. Therefore, it’s critical for administrators and auditors to be able to run keyword searches against the keylogging data to find what they are looking for. Each search hit should be linked directly to the moment of video where the action occurred!
As mentioned, searchable terms may include actual text or commands entered by the user, but also text that was pasted, edited, auto-completed, or entered using the mouse, as well as the names of applications run, windows opened, files accessed, and URLs visited. In Unix/Linux environments, search hits will include commands executed (whether typed directly or run via a script or alias), command parameters and arguments, the names of the resources affected by those commands, and even the underlying system calls.
Examples of Advanced Corporate Keylogging
- Real-time Alerting – A hospital’s security administrator has configured alert rules to inform him anytime someone accesses the records of any of the hospital’s famous patients. When an IT consultant looked up one of the patients on the watch-list in the EHR system, the administrator was instantly notified by the system. He approached the consultant to investigate if there was a valid reason for accessing the record.
- Incident Investigation – An administrator wanted to know who entered a particular value into a critical registry key. Searching for the key’s value, a single hit was found, including the user name and exact date/time. Watching the video linked to that event, the administrator could see the user never typed in the value, but used the backspace key to delete part of a longer, initial value. A typical keylogger would never have found a match.
- Internal Auditing – An auditor discovered that someone unchecked the “Log visits” checkbox for a particular server in IIS. Wanting to know who did this, he searched for the name in the checkbox (“Log visits”) and received a list of occurrences the checkbox was unchecked, including the user’s name and exact date/time. The linked session video revealed what the user had been doing before and after clicking the checkbox.
- SOX Auditing – During a routine review, an auditor for a bank discovered that some files on a Linux document server were prematurely deleted. Because SOX section 802 mandates that these files must be stored for at least five years, he had discovered a serious violation that could potentially lead to fines or even prison time. A quick search in the user activity monitoring system revealed who deleted the files, when and how.
What about Employee Privacy?
This overview of advanced corporate keylogging would be incomplete without mentioning employee privacy.
Organizations deploying user activity monitoring systems, such as keyloggers, must usually notify employees that they are being monitored. However, organizations have a huge obligation to protect highly sensitive information, including employee passwords and emails from misuse, abuse or falling into the wrong hands.
For this reason, the recorded keylogging data should be immediately encrypted upon capture, using a salted hash algorithm (such as SHA256). This makes the stored data essentially unreadable and non-decryptable but allows the data to be searchable. In other words, the keylogging data can be used for searching and alert generation, even while the data itself permanently remains completely unreadable.
Keylogging is a necessary tool for a company to protect your sensitive data. Advanced keylogging will enable you to be proactive and protect your company from the inside out.
Subscribe to the Proofpoint Blog