Nosy Admin Snoops Managing Partners Email

The Network: A law firm headquartered in the U.S. East Coast with a dozen offices worldwide.

The Expectation: Email is the “killer” app for attorneys. Confidentiality of electronic communications is essential and to be expected. Law firm uses on-premises Microsoft Exchange as the hub of email communications. This is considered to be safe and controlled.

The Catch: Netsurion’s EventTracker detected a privileged user (admin on the Exchange box) abusing his privileges to view a Managing Partner’s email communications.

The Find: Microsoft Exchange users can share items like calendars and delegate access. Senior staff do this regularly so that their calendar can be maintained and coordinated. However, while an admin has complete power and can view everything, it doesn’t mean that s/he should.

The Fix: Institute monitoring since such behavior cannot be prevented. High priority alerts are defined to capture this type of situation. Make sure to filter out legitimate access such as calendar delegation to minimize false positives.

The Lesson: Compliance and privacy are impacted by snooping employees who exceed their “need to know” role and responsibility. Security awareness training and Role-Based-Access-Control can educate and limit rogue employees. Comprehensive 24/7/365 monitoring by the Netsurion SOC quickly detects and helps respond to harmful employee access.