Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
That's what this article is all about - background. When I write articles I generally talk about the background of the paper, and when I do business with a company on any large scale I find out about their credit rating, reputation, and so forth. Many companies have done background checks for a long time, but many still do not do any such checks other than checks that are legally mandated - such as verification of employability status and age (in countries that require such restrictions on employment).
It turns out that most criminal organizations do extensive background checks on their members, sometimes going to the extent of putting them through entrance exams of increasing intensity as they move up the organization. In order to get full membership you may have to display a willingness to kill someone in front of other members, participate in crimes with other members, and get tattoos and similar markings as part of the initiation ceremony.
But most legitimate companies don't go quite that far in their background checks and initiation rights. Assuming you that don't want to go as far as the criminals go in verifying eligibility for trusted membership, what then can you do to check your fellow employees (and what can they do to check you) to see whether and to what extent you can be trusted?
Many companies fail to do even the simplest of checks by verifying employment with former employers and checking reference letter writers to verify that they are legitimate. There are many cases of employees using false resumes and false reference letters. In one case I saw the complete folder on an employee being terminated was empty - not a single piece of information was there. Reference checks and resume content should be verified with as independent a source as can be found. Don't trust the phone numbers provided by your applicants - look up the source through the phone book and call it in that way. It's pretty common to have a friend provide the reference at a different phone number.
There are a lot of different sorts of background checks available on the market today. For less than $100 you can generally get a criminal records check in a few venues and perhaps a credit report on an individual you are considering hiring. While this is generally a good idea and a worthwhile thing to do, it is of highly limited value in determining the trustworthiness of a new employee or verifying the situation with respect to an ongoing employee.
For more money you can get a more in-depth assessment. Depending on the sensitivity of the job position, you might do financial checks, interviews with neighbors and previous neighbors, verification of travel, verification of payments on loans, prior income, marital status, lifestyle checks, and so forth. You can check children, parents, reputation in community, and on and on.
The pain has only just begun of course. These days, in information technology at least, we all depend on lots of folks who we don't know at all, and yet have to trust to some extent in order to function. Does anyone reading this have a background check on all the programmers at vendor companies that wrote the software that runs our systems? Perhaps a few of you do. Of course if they did anything bad, your systems might be highly vulnerable and under attack even as we speak. How about your ISP? Did you do a background check on them? Did they do a background check on their employees? How about on their vendors? We all depend on the power and phone company in our area for the proper operation of our information infrastructure. Do we trust the folks there? How come? Did we do background checks? Did they?
The only way to deal with these issues realistically is to understand the dependencies and risks associated with them and find ways to manage the associated risks. There are really four approaches to these issues;
Ignore it and suffer the consequences: Many companies - perhaps most - choose to simply ignore this issue. They simply trust their vendors and suffer the consequences when things go awry. In the financial and health care arenas this option is being regulated away for any case involving the exposure of personal or confidential information.
Work contracts with partners that require background checks and punish for failure to comply: Many companies have contractual obligations relating to performance of work, but few require background checks of employees of vendors. Some, however do this. This is dominated by government contractors and contractors with 'secure' facilities and data warehouse companies..
Check the contractors and let them worry about their employees: In this approach, the contractor is checked as opposed to their employees. If their record is clean the assumption is that their employees are relatively well controlled and do the job. This is a poor assumption because the vast majority of incidents are not publicized, especially in companies that are selling a reputation as a security vendor or selling their high degree of integrity.
Find ways to mitigate the risk of less trusted workers in these vendors: This is one of the better strategies available. In this case we mitigate risks associated with employee faults in vendors and suppliers by selecting redundant supply chains, designing systems to be relatively independent of vendors in terms of the harm that could result from vendor impropriety, and so forth.
So background checks on those you depend on can by worked through in one way or another, but they are limited and thus it is normally prudent to protect content and availability during transport and to make yourself as independent of these partners as possible.
For cases where employees and partners misbehave, there are various steps that can be taken to mitigate harm, but for the most part, due diligence is a good start along the way. Typically, contracts are formed that mandate that any information provided must be truthful or sanctions up to and including termination may result. This stops few such fraud attempts but it does provide a convenient response to detected fraud attempts.
In cases where misconduct is criminal - such as violations of the corporate espionage act - jail sentences are possible for those you trust who end up acting against the best interest of their employer in the information arena. Employees and potential employees generally have to agree to any investigative process, and carrying out background checks without proper permission (which can legally be made a condition of consideration for employment) is in itself risking criminal sanctions (such as violations of the fair credit reporting act).
Finally, there are questions about how far such investigations can reasonably go. For example, drug testing has been approved by the US courts for cases where public safety, national secrets, child safety, or other similar risks occur, however, no case has been engaged in where drug testing has been challenged or accepted for programming or operation of a computer. The industry in some areas of the world might fail outright if such a requirement were rigorously enforced.
All that glitters is not gold, and all that comes in a background check is not definitive. Many cases involving false information have occurred and perfectly fine employees or potential employees may end up being mistreated if this information is believed without in-depth verification. Identity theft, credit card scams, and other similar criminal activities tend to poison databases with such data. Independent verification is often the only way to be certain of the outcomes of these checks.
Even when the data from these checks is accurate, analysis of that data and its use in making decisions should be done with care. In many cases a discussion with an employee or candidate will clarify missing data. As an example, an uncle of mine died a few years ago and I received a substantial inheritance (enough to buy a nicer car). If lifestyle checks were being made, this car might represent a profile difference between my pay at the time and my lifestyle and produce a suspicion. If not checked with me, this could result in a wrongful termination, on the job discrimination, unjust suspicion, and so forth.
Any data obtained in the process of a background check must be kept strictly confidential as it is a private matter as far as the employee or candidate is concerned. Failure to maintain strict confidentiality of such information can result in law suits and other legal actions, up to and including substantial fines and criminal prosecution, depending on the specifics of the circumstance.
Background checks are part of the standard practice used in most major companies and many other companies for screening potential employees. They should be used within every organization that has serious consequences associated with security breaches, with more in-depth and more frequent background checks for employees in more highly sensitive or trusted positions.
Care in making decisions based on information attained in such checks must be taken to assure that excellent candidates are not unfairly treated and that information found is properly verified and interpreted.
In networking, interdependencies abound, and internal background checks are not adequate for assuring effective protection across infrastructures. Contracts, checks on contractors and other vendors, and redundancy offer options for assuring that the failure of others to do adequate background checks does not result in unacceptable loss.
About The Author:
Fred Cohen is helping clients meet their information protection needs at Fred Cohen & Associates and Security Posture and doing research and education as a Research Professor in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/