Who Can You Trust?

Monitor-maker ViewSonic did not see this one coming.

A network administrator it once employed was arrested last month for hacking into the monitor-maker’s network and wiping out critical files.

It could have been worse. The former employee, Andy Garcia, 39, of Montebello, Calif., could have been more destructive. He also was charged with possession of a semiautomatic assault weapon.

PDF DownloadThe arrest occurred roughly two weeks after Garcia was terminated last year. Relatively speaking, the break-in was a walk in the park, considering he was “in charge of several computer servers and had access to system passwords for management employees,” according to the Department of Justice.

With layoffs and tough economic times giving rise to more disgruntled professionals, information technology executives are now facing this fact: Background checks are the first line of defense against harm to servers, networks and communications infrastructure.

Security firm Kroll Inc. recommends that the checks include drug screening, psychological examinations, credit reviews and securing of federal and local crime records, particularly for positions where changes can be made to applications and system operations.

Walnut, Calif.-based ViewSonic couldn’t say much about the Garcia case. A spokesman said “all of our employees are background-checked,” but wouldn’t elaborate on the stringency of those checks. Assistant U.S. Attorney Wesley Hsu couldn’t comment on whether Garcia was initially screened.

Why the emphasis on background checks? Although hack-attacks from outsiders get the press, the real damage comes from insiders. “If you look at the attacks in volume, 70% of them come from outsiders, but the 70% that cause damage are insiders,” says Gartner Inc. analyst John Pescatore.

Indeed, a 2002 Computer Security Institute survey said 80% of respondents acknowledged financial losses from computer breaches. Forty-four percent were willing and able to quantify those losses, putting them at $455.8 million.

ViewSonic was lucky, since Garcia only precluded the company’s Taiwan office from accessing data for a matter of days. It could have been worse. Two warnings from the U.S. National Infrastructure Protection Center (NIPC) last month urged key industries such as telecommunications, finance, utilities and industrial plants to be wary of “insider personnel” that could use employers—and their networks—to make political statements, commit cyber-crime, or worse, bolster terrorism.

To defend against such activities, the government suggested updating antivirus software, increasing user awareness and stopping suspicious attachments at the e-mail server. But a better route may be to create a comprehensive plan to figure out which of your potential new employees may have a proclivity to creating harm, for political or other personal reasons.

Data on screening technology workers is scant, but Pescatore estimates that background checks have more than doubled since the Sept. 11, 2001 terrorist attacks to about 20% to 25%.

A tight job market also has given employers more leverage to demand background checks for all kinds of hires, both salaried and contract.

The main objective should be to eliminate what Alan Brill, senior managing director of tech services for Kroll, dubs “invisible” workers—full-time or temporary employees that have access to customer, human resources or financial systems, but whose interactions with computer systems go unnoticed. “Your system does not care if you get a W-2 or not,” says Brill.

Barbara Blair, CEO of CyberStaff America, says her technology-staffing firm conducts stringent screening, including criminal and credit checks on workers.

“It’s protection you need because it’s not a laissez-faire world anymore,” says Blair.

Protecting Civil Liberties

Not all companies want airtight security. Worries about civil liberties, unfair “profiling” of workers and reducing employee morale are all common reasons to justify going light on background checks.

Andy Evans, senior security engineer for Ecora Software of Portsmouth, N.H., notes the background checks that Kroll advocates could be viewed as excessive.

“At the very least you call references, but beyond that I’d be offended if there was too much digging around even though there’s nothing to find,” says Evans.

He believes the amount of checking should depend on a worker’s mission. “For people with access to financial and personal data, though, it makes sense.”

For Evans, a better approach is to establish clear network guidelines of acceptable use, educate employees and then enforce those guidelines. According to analysts, these guidelines should start from the assumption that the employer has a right to inspect anything on the network.

“There shouldn’t be any veil of privacy,” says Brill.

Besides network basics such as prohibitions on pornography, sending spam and downloading pirated software, analysts say most executable files should be stopped from entering or leaving the network. There also should be guidelines on what types of employees get certain access privileges.

Evans recommends that firewall protection should apply to both incoming and outgoing network traffic even if it results in a slower connection.

“You can take a performance hit, but the payoff is huge,” adds Evans, who says the effect on network performance would depend on a company’s hardware and bandwidth.

Password management also is a key consideration. Passwords need to be changed often and need to stay away from obvious words such as “secret,” a spouse’s name and social security numbers.

“The fact remains security is still 90% password-based and it’s a notoriously weak form of authentication,” says Derek Brink, director for product management for RSA Security’s SecureID.

One major security hole: passwords that aren’t terminated when employees are. “When an employee leaves, all access accounts should be disabled. That closes a huge hole,” says Pescatore.

RSA has been pushing the use of hardware and software tokens, which change passwords every minute and require a personal identification number to verify the user. Once a user is authenticated, he will get access to parts of the network he’s authorized to use.

So why aren’t tokens a big hit? Passwords come cheap and identity-management tools can take a piece of the budget. The cost to acquire and deploy a password system is essentially zero.

For 25 RSA users, Steve Stasiukonis, the owner of Secure Network Technologies of East Syracuse, N.Y., says it costs $3,950 for a license to RSA’s access-management server, $1,000 in annual maintenance and $62 for each SecureID fob, which will last three years.

Brink says RSA and its rivals have largely pitched authentication as a way to mitigate risks, but don’t necessarily try to prove there’s a return on the investment. “We’ve had a hard time talking about reducing costs and increasing revenue,” says Brink.

And what if you take all the necessary precautions and an insider still goes bad? The key is to monitor—and more importantly interpret—network traffic.

“Inside the firewall there’s a lot of information to interpret,” says Brill. “Most attacks leave a trail. The only problem is seeing the trail.”

Indeed, it’s a trail that can leave reams of data. Out-of-the-ordinary financial transactions, executable files, unusual Web site visits and instant-messaging conversations should all raise red flags, say analysts.

Brill says decision-makers have three choices. Don’t monitor your network and take your chances; devote resources to interpreting the data full time; or outsource to companies such as Symantec, which acquired monitoring firm Riptech last year.

Pescatore also says startups such as Vericept, SilentRunner and Niksun are working to fill the monitoring void by offering software that cooks traffic patterns down to a simple alert.

“The key is to collect the data [and] rebuild 1,000 events into one incident,” says Pescatore.