Ensure your firm makes proper security checks
Richard Woods, NCC Global
Having a former hacker working in your IT department could be a major security threat because it demonstrates that formal vetting procedures have not been implemented.
However, there may be a good reason for employing a former hacker, particularly where their expertise is known and it is being used for positive means (as opposed to destructive reasons or for corporate espionage).
It is important that an employee's history is known by the employer prior to them starting work. Many organisations do not have the patience to wait for formal clearance or do not make any attempt to formally vet staff. In particular, temporary staff, contractors and consultants are often excluded from vetting procedures.
There should be a clear understanding with the human resources department when recruiting staff with security responsibilities that formal checks are made and references are taken up. An employee's access to systems should be in line with appropriate clearance and assessed risk. BS7799 includes staff vetting as a control.
Try using a hackers' skills to your advantage
Sharm Manwani, Henley Management College
Recently the British Computing Society and Henley Management College conducted an IT security survey of senior IT managers. A key finding was that breaches of confidentiality were seen as a greater risk than data integrity issues or availability problems, where only 11% rated these as a low risk.
This was further reinforced by a finding that internal fraud and abuse was a greater concern to respondents than external hackers.
Clearly it is advisable to avoid recruiting personnel who pose a threat to your systems. However, it is also important to ensure you have a secure environment. In the security survey, less than 50% of responding organisations had adopted policies such as separating staff duties to avoid a conflict of interest and organising IT security training and awareness.
A final thought. A former hacker will have an understanding of security breaches. It might be worth using that experience, although you may prefer to do this on a consultancy basis.
Do an internet search to gather information
David Hughes, Partner, Deloitte & Touche
Organisations are definitely at risk from internal hackers and not just from within the IT department.
How confident are you that any other employees, temporary staff, contract security or cleaning staff are not damaging your systems? You must question whether the processes and technology to detect anomalous behaviour are already in place.
A persistent hacker may systematically work their way through your systems, maybe for financial gain or just for the technical challenge. You can certainly reduce the risk by vetting potential employees and identifying those that may be dishonest or represent a threat.
There is no substitute for a thorough hiring process by a human resources department where employment history, continuity and employer references are checked, but these can also be supplemented with more detailed investigations.
Use resources such as www.192.com to verify the applicant's address and search for other previous addresses. Identify the names of others who may live with the applicant. Use the internet to search on those names and addresses and see what turns up - you may be surprised.
Use search engines such as Google and check newsgroups and internet registration for networks and domain names. If your applicant is involved in dubious activities there may well own some "assets" on the internet.
You may also consider a more detailed investigation by performing credit checks, identity verification, a criminal records search and education and qualification verification.
However, under the Data Protection Act and other privacy legislation, the applicant's written permission must be obtained before starting any investigative search. This alone may be enough to scare off an applicant with something to hide.
Enlist a company to help you check staff backgrounds
Robin Laidlaw, President, CW500 Club
The internal security threat is estimated to account for more than 60% of business losses and this is not limited to people working in IT departments.
All new employees should have their references checked and, depending upon the nature of their position, a criminal records check. New IT employees with administrator privileges should definitely have a criminal records check.
There are several companies which can provide this vetting service but the Criminal Records Bureau would be a good place to start. It is also a good idea to continually monitor internal systems for security violations, a service provided by companies such as Iconium.
Once a hacker, always a hacker
Mike Barwise, Computer Security Awareness
I would never knowingly employ an ex-hacker, as it is rare for malicious hackers to truly reform.
Hacking is rooted in an intrinsic personality flaw and a general disregard for the property and privacy of others. Apparent reform is generally driven by expediency or perceived personal best interest, which makes it fragile. You cannot afford to have a technically competent person you cannot trust handling your information assets.
To identify hackers among your job candidates, you must pay attention to detail without letting it be seen by candidates that you are screening for hackers.
The human resources department should ask for full references with explicit descriptions of duties. They should verify all employers and employment dates and challenge any vagueness or gaps.
A technical expert on the interview panel should ask searching questions about preferred methods and choice of tools for typical scenarios involving security-sensitive problems. The answers will tell you a lot about a candidate's background.
Above all, do not advertise the "need for probity" or mention hacking or hackers in the job advertisement, applicant pack or at the interview. This would prime the hacker so they could play the expected part. Approach the issue searchingly but indirectly, so that true motivation and attitudes are exposed.
This was first published in September 2003