Chapter 6. Personnel Security

At a Glance

This chapter outlines the security issue that emanate from inside the organization. From hiring and firing procedures to employee training and awareness, personnel security will play a critical role in the organizational response to preventive and defensive measures taken on the company’s behalf.

Personnel Risks: A Hidden Threat to the Organization

Consider a few personnel incidents that made the news in the last few years:

• Nick Leeson, an investment trader at the Barings Bank office in Singapore, and Toshihide Iguchi of the Daiwa Bank office in New York City, each made risky investments and lost substantial amounts of their bank’s funds. Rather than admit to the losses, each of them altered computer records and effectively gambled more money to recoup the losses. Eventually, both were discovered after each bank lost more than one billion dollars. As a result, Barings was forced into insolvency, and Daiwa may not be allowed to operate in the United States in the future.

• In the U.S., agents and other individuals with high-security clearances at the CIA, the FBI and the Armed Forces (Aldrich Ames, Jonathon Pollard, Robert Hanson, and Robert Walker, to name a few) were dis covered to have been passing classified information to Russia and to Israel. Despite several special controls for security, these individuals were able to commit damaging acts of espionage — in some cases, for more than a decade.

• John Deutch, the director of the CIA under President Clinton, was found to have taken classified government information from the Agency to his house, where the information was stored on classified computers con figured for unclassified use and appropriately marked as “unclassified.” While the classified information was resident, these same computers were used to access pornographic web sites — web sites that could have launched attacks against the computers using both public and undisclosed security vulnerabilities. Yet despite the fact that numerous policies and laws were broken, no administrative action was taken against Deutch, and Deutch was issued a Presidential pardon by Clinton on Clinton’s last day of office.

If you examine these cases and the vast number of computer security violations committed over the past few decades, you will find one common characteristic: 100% of them were caused by people. Break-ins were caused by people. Computer viruses were written by people. Passwords were stolen by people.

“Personnel security” is everything involving employees: hiring them, training them, monitoring their behavior, and, sometimes, handling their departure. Statistics show that the most common perpetrators of significant computer crime in some contexts are those people who have legitimate access now, or who have recently had access; some studies show that over 80% of incidents are caused by these individuals. Thus, managing personnel with privileged access is an important part of a good security plan.

People are involved in computer security problems in two ways. Some people unwittingly aid in the commission of security incidents by failing to follow proper procedure, by forgetting security considerations, and by not understanding what they are doing. Other people knowingly violate controls and procedures to cause or aid an incident. As we have noted earlier, the people who knowingly contribute to your security problems are most often your own users (or recent users): they are the ones who know the controls, and know what information of value may be present.

You are likely to encounter both kinds of individuals in the course of administering a Unix system. The controls and mechanisms involved in personnel security are many and varied. Discussions of all of them could fill an entire book, so we’ll simply summarize some of the major considerations. These personnel polices will not prevent security breaches, but they will reduce the security threats posed to your enterprise by your own employees.

Security in the Hiring Process

Background Checks

When you hire new employees, check their backgrounds. You may have candidates fill out application forms, but then what do you do? At the least, you should check all references given by each applicant to determine his past record, including reasons why he left those positions. Be certain to verify the dates of employment, and check any gaps in the record. You should also verify any claims of educational achievement and certification: stories abound of individuals who have claimed to have earned graduate degrees from prestigious universities— universities that have no records of those individuals ever completing a class. Other cases involve degrees from “universities” that are little more than a post office box. Consider that an applicant who lies to get a job with you is not establishing a good foundation for future trust.

Intensive Investigations

In some instances you may want to make more intensive investigations of the character and background of the candidates. Depending on the level of the job and the access that this employee will have to systems and sensitive data, you may want to:

• Have an investigation agency do a background check.

• Get a criminal record check of the individual.

• Check the applicant’s credit record for evidence of large personal debt and the inability to pay it. Discuss problems, if you find them, with the applicant. People who are in debt should not be denied jobs: if they are, they will never be able to regain solvency. At the same time, employees who are under financial strain may be more likely to act improperly.

• Consider conducting a polygraph examination of the applicant (if legal). Although polygraph exams are not always accurate, they can be helpful if you have a particularly sensitive position to fill.

• Ask the applicant to obtain bonding for his position. In general, we don’t recommend these steps for hiring every employee. However, you should conduct extra checks of any employee who will be in a position of trust or privileged access—including maintenance and cleaning personnel.

We also suggest that you inform the applicant that you are performing these checks, and obtain his or her consent. This courtesy will make the checks easier to perform and will put the applicant on notice that you are serious about your precautions. In some locales you will need the explicit permission of the candidate to conduct these checks.

Rechecks

Once you have finished the tests and hired the candidate, you should consider revisiting some of the checks on a periodic basis. You would then compare the old and new results and observe changes. Some changes should trigger deeper investigation.

For example, if you have an employee who is in charge of your accounting system, including computer printing of checks to creditors, you likely want to conduct more than a cursory investigation, including a credit check. If a recheck occurs every two years and the employee exhibits spending patterns that are far out of line with his salary and personal means, you may decide to investigate further.

Initial Training

Your security concerns with an employee should not stop after that person is hired. Every potential computer user should undergo fundamental education in security policy as a matter of course. At the least, this education should include procedures for password selection and use, physical access to computers and networks (who is authorized to connect equipment, and how), backup procedures, dial-in policies, and policies for divulging information over the telephone. Executives should not be excluded from these classes because of their status— they are as likely (or more likely) as other personnel to pick poor passwords and commit other errors. They, too, must demonstrate their commitment to security: security consciousness flows from the top down, not the other way.

Education should include written materials and a copy of the computer-use policy. The education should include discussion of appropriate and inappropriate use of the computers and networks, personal use of computing equipment (during and after hours), policies on ownership and use of electronic mail, and policies on import and export of software and data. Penalties for violations of these policies should also be detailed.

All users should sign a form acknowledging the receipt of this information, and their acceptance of its restrictions. These forms should be retained. Later, if any question arises as to whether the employee was given prior warning about what was allowed, there will be proof.

Ongoing Training and Awareness

Periodically, users should be presented with refresher information about security and appropriate use of the computers. This retraining is an opportunity to explain good practice, remind users of current threats and their consequences, and provide a forum to air questions and concerns.

Your staff should also be given adequate opportunities for ongoing training. This training should include support to attend professional conferences and seminars, subscribe to professional and trade periodicals, and obtain reference books and other training materials. Your staff must also be given sufficient time to make use of the material, and positive incentives to master it.

Coupled with periodic education, you may wish to employ various methods of continuing awareness. These methods could include putting up posters or notices about good practice, having periodic messages of the day with tips and reminders, having an “Awareness Day” every few months, or having other events to keep security from fading into the background.

Of course, the nature of your organization, the level of threat and possible loss, and the size and nature of your user population should all be factored into your plans. The cost of awareness activities should also be considered and budgeted in advance.

Performance Reviews and Monitoring

The performance of your staff should be reviewed periodically. In particular, the staff should be given credit and rewarded for professional growth and good practice. At the same time, problems should be identified and addressed in a constructive manner. You must encourage staff members to increase their abilities and enhance their understanding.

You also want to avoid creating situations in which staff members feel overworked, under appreciated, or ignored. Creating such a working environment can lead to carelessness and a lack of interest in protecting the interests of the organization. The staff could also leave for better opportunities. Or worse, the staff could become involved in acts of disruption as a matter of revenge. Overtime must be an exception and not the rule, and all employees—especially those in critical positions— must be given adequate holiday and vacation time. Overworked, chronically tired employees are more likely to make mistakes, overlook problems, and become emotionally fragile. They also tend to suffer stress in their personal lives — families and loved ones might like to see them occasionally. Overstressed, overworked employees are likely to become disgruntled, and that does not advance the cause of good security.

In general, users with privileges should be monitored for signs of excessive stress, personal problems, or other indications of difficulties. Identifying such problems and providing help, where possible, is at the very least humane. Such practice is also a way to preserve valuable resources—the users themselves, and the resources to which they have access.

Auditing Access

Ensure that auditing of access to equipment and data is enabled, and is monitored. Furthermore, ensure that anyone with such access knows that auditing is enabled. Many instances of computer abuse are spontaneous in nature. If a possible malefactor knows that the activity and access are logged, he might be discouraged in his actions.

Audit is not only done via the computer. Logs of people entering and leaving the building, electronic lock audit trails, and closed-circuit TV tapes all provide some accountability.

At the same time, we caution against routine, surreptitious monitoring. People do not like the idea that they might not be trusted and could be covertly watched. If they discover that they are, in fact, being watched, they may become very angry and may even take extreme action. In some venues, labor laws and employment contracts can result in the employer’s facing large civil judgments.

Simply notifying employees they are being monitored is not sufficient if the monitoring is too comprehensive. Some studies have shown that employees actually misbehave more and are less productive when they are monitored too extensively. This is true whether you are monitoring how often they take coffee breaks, timing every phone call, or keeping a record of every web site visited.

The best policies are those that are formulated with the input of the employees themselves, and with personnel from your human resources department (if you have one).

Least Privilege and Separation of Duties

Consider carefully the time-tested principles of least privilege and separation of duties. These should be employed wherever practical in your operations.

Least privilege

This principle states that you give each person the minimum access necessary to do his or her job. This restricted access is both logical (access to accounts, networks, programs) and physical (access to computers, backup tapes, and other peripherals). If every user has accounts on every system and has physical access to everything, then all users are roughly equivalent in their level of threat.

Separation of duties

This principle states that you should carefully separate duties so that people involved in checking for inappropriate use are not also capable of making such inappropriate use. Thus, having all the security functions and audit responsibilities reside in the same person is dangerous. This practice can lead to a case in which the person may violate security policy and commit prohibited acts, yet in which no other person sees the audit trail to be alerted to the problem.

Limit Your Reliance on Key Employees

No one in an organization should be irreplaceable, because no human is immortal. If your organization depends on the ongoing performance of a key employee, then your organization is at risk. Organizations cannot help but have key employees. To be secure, organizations should have written policies and plans established for unexpected illness or departure.

In one case that we are familiar with, a small company with 100 employees had spent more than 10 years developing its own custom-written accounting and order entry system. The system was written in a programming language that was not readily known, originally provided by a company that had possibly gone out of business. Two people understood the organization’s system: the MIS director and her programmer. These two people were responsible for making changes to the account system’s programs, preparing annual reports, repairing computer equipment when it broke, and even performing backups (which were stored, off-site, at the MIS director’s home office).

What would happen if the MIS director and her programmer were killed one day in a car accident on their way to meet with a vendor? What would happen if the MIS director were offered a better job, at twice the salary? What if the programmer, unable to advance in his position because of the need to keep a key employee in his role, became frustrated and angry at the organization?

That key personnel are irreplaceable is one of the real costs associated with computer systems—one that is rarely appreciated by an organization’s senior management. The draw-backs of this case illustrate one more compelling reason to use off-the-shelf software, and to have established written policies and procedures, so that a newly hired replacement can easily fill another’s shoes.

Absence and Departure

People leave jobs, sometimes on their own, and sometimes involuntarily—as a result of many circumstances, including death or physical incapacitation. In the shorter term, people also take vacations or are absent for family or other personal reasons. In any such cases, you should have a defined set of actions for how to handle the departure or absence. This procedure should include shutting down accounts (not for absence); forwarding e-mail to appropriate parties; changing critical passwords, phone numbers, and combinations; checking voice mail accounts; and otherwise removing access to your systems.

In some environments, this suggestion may be too drastic. In the case of a university, for instance, graduated students might be allowed to keep accounts active for months or years after they leave. If an employee is out on vacation or absent for illness for a few days, you will not shut down his or her account, or change passwords and phone numbers. However, in other environments, a departure is quite sudden and dramatic. Someone may show up at work, only to find the locks changed and a security guard waiting with a box containing everything that was in the user’s desk drawers. The account has already been deleted; all system passwords have been changed; and the user’s office phone number is no longer assigned. This form of separation management is quite common in financial service industries, and is understood to be part of the job. Usually, these are employees hired “at will” and with contracts stating that such a course of action may occur for any reason — or no stated reason at all. Use your common sense; in each case, you must determine exactly what the policy on access should be and articulate that clearly to the employees and the people responsible for implementing that policy.

Security Concerns with Other Personnel

Other people who have access to your system may not all have your best interests in mind — or they may simply be ignorant of the damage they can wreak. We’ve heard stories about home environments where playmates of children have introduced viruses into home office systems, and where spouses have scoured disks for evidence of marital infidelity—and then trashed systems where they have found it. In business environments, there are stories of cleaning staff and office temps who have been caught sabotaging or snooping on company computers.

You may not be able to choose your family, but you can have some impact on who accesses the computers at your company location. Visitors, maintenance personnel, contractors, vendors, and others may all have temporary or semi-permanent access to your location and to your systems. You should consider how everything we discussed earlier can be applied to these people with temporary access. At the very least, no one from the outside should be allowed unrestricted physical access to your computer and network equipment.

Examples of people whose backgrounds should be examined include:

• System operators and administrators

• Temporary workers and contractors who have access to the system

• Cleaning and maintenance personnel

• Security guards

• Delivery personnel who have regular or unsupervised access

• Consultants

• Auditor and other financial personnel

All personnel who do have access should be trained about security and loss prevention and should be periodically retrained. Personnel should also be briefed on incident response procedures and on the penalties for security violations.

Don’t forget your family! Whether you are protecting a home system or occasionally have your kids visit your office, it is important that they understand that the computer is not a toy. They should be taught to leave business-critical machines and media alone. Having strong passwords and screensavers in place can be a major help. Additionally, teach your family members about not discussing your business computing environment with strangers.