I have read of people working in IT departments who have been
exposed as former hackers. Is this a security threat and how can I
vet my IT staff to ensure they do not have a dubious background?
Ensure your firm makes proper security
checksRichard Woods, NCC Global
Having a former hacker working in your IT department could be a
major security threat because it demonstrates that formal vetting
procedures have not been implemented.
However, there may be a good reason for employing a former hacker,
particularly where their expertise is known and it is being used
for positive means (as opposed to destructive reasons or for
corporate espionage).
It is important that an employee's history is known by the employer
prior to them starting work. Many organisations do not have the
patience to wait for formal clearance or do not make any attempt to
formally vet staff. In particular, temporary staff, contractors and
consultants are often excluded from vetting procedures.
There should be a clear understanding with the human resources
department when recruiting staff with security responsibilities
that formal checks are made and references are taken up. An
employee's access to systems should be in line with appropriate
clearance and assessed risk. BS7799 includes staff vetting as a
control.
Try using a hackers' skills to your
advantageSharm Manwani, Henley Management College
Recently the British Computing Society and Henley Management
College conducted an IT security survey of senior IT managers. A
key finding was that breaches of confidentiality were seen as a
greater risk than data integrity issues or availability problems,
where only 11% rated these as a low risk.
This was further reinforced by a finding that internal fraud and
abuse was a greater concern to respondents than external
hackers.
Clearly it is advisable to avoid recruiting personnel who pose a
threat to your systems. However, it is also important to ensure you
have a secure environment. In the security survey, less than 50% of
responding organisations had adopted policies such as separating
staff duties to avoid a conflict of interest and organising IT
security training and awareness.
A final thought. A former hacker will have an understanding of
security breaches. It might be worth using that experience,
although you may prefer to do this on a consultancy basis.
Do an internet search to gather
information
David Hughes, Partner, Deloitte & Touche
Organisations are definitely at risk from internal hackers and not
just from within the IT department.
How confident are you that any other employees, temporary staff,
contract security or cleaning staff are not damaging your systems?
You must question whether the processes and technology to detect
anomalous behaviour are already in place.
A persistent hacker may systematically work their way through your
systems, maybe for financial gain or just for the technical
challenge. You can certainly reduce the risk by vetting potential
employees and identifying those that may be dishonest or represent
a threat.
There is no substitute for a thorough hiring process by a human
resources department where employment history, continuity and
employer references are checked, but these can also be supplemented
with more detailed investigations.
Use resources such as www.192.com to verify the applicant's address
and search for other previous addresses. Identify the names of
others who may live with the applicant. Use the internet to search
on those names and addresses and see what turns up - you may be
surprised.
Use search engines such as Google and check newsgroups and internet
registration for networks and domain names. If your applicant is
involved in dubious activities there may well own some "assets" on
the internet.
You may also consider a more detailed investigation by performing
credit checks, identity verification, a criminal records search and
education and qualification verification.
However, under the Data Protection Act and other privacy
legislation, the applicant's written permission must be obtained
before starting any investigative search. This alone may be enough
to scare off an applicant with something to hide.
Enlist a company to help you check staff
backgroundsRobin Laidlaw, President, CW500 Club
The internal security threat is estimated to account for more than
60% of business losses and this is not limited to people working in
IT departments.
All new employees should have their references checked and,
depending upon the nature of their position, a criminal records
check. New IT employees with administrator privileges should
definitely have a criminal records check.
There are several companies which can provide this vetting service
but the Criminal Records Bureau would be a good place to start. It
is also a good idea to continually monitor internal systems for
security violations, a service provided by companies such as
Iconium.
www.iconium.co.ukwww.crb.gov.ukOnce a hacker, always a hackerMike Barwise, Computer Security Awareness
I would never knowingly employ an ex-hacker, as it is rare for
malicious hackers to truly reform.
Hacking is rooted in an intrinsic personality flaw and a general
disregard for the property and privacy of others. Apparent reform
is generally driven by expediency or perceived personal best
interest, which makes it fragile. You cannot afford to have a
technically competent person you cannot trust handling your
information assets.
To identify hackers among your job candidates, you must pay
attention to detail without letting it be seen by candidates that
you are screening for hackers.
The human resources department should ask for full references with
explicit descriptions of duties. They should verify all employers
and employment dates and challenge any vagueness or gaps.
A technical expert on the interview panel should ask searching
questions about preferred methods and choice of tools for typical
scenarios involving security-sensitive problems. The answers will
tell you a lot about a candidate's background.
Above all, do not advertise the "need for probity" or mention
hacking or hackers in the job advertisement, applicant pack or at
the interview. This would prime the hacker so they could play the
expected part. Approach the issue searchingly but indirectly, so
that true motivation and attitudes are exposed.