kaiser@jaws.DEC (Pete Kaiser 225-5441 HLO2-1/N10) (12/16/84)
I've seen recently lots of netnews traffic about "security", "hackers", and computer crime. But if you were doing a performance analysis of where to apply your efforts in stopping the security leaks, misuse, and crime, you'd have to be aware of this: Study after study done by the nation's law-enforcement agencies shows that the greatest money losses from crime come from white-collar crime committed by trusted insiders. And I suspect most of us [reading this note] know that this is also true in our workplaces. People abuse their privileges (I'm ashamed to say that I did this once myself, although it wasn't criminal, but unethical -- I used UN*X root privilege to read someone else's mail in searching for some code) and misuse their resources in criminal ways. Some persons profit from this, deliberately. They are criminals. Most are never detected, much less caught, tried, or convicted of their crimes. If we absolutely stopped all irresponsible hacking (or "cracking", if you prefer the term), and completely plugged every conceivable technical hole in computer security, the amount of security gained, the amount of crime halted, would be a trivial part of the true total of computer crime and breaches of security and privacy. So we shouldn't let ourselves be seduced into thinking that "{h,cr}ackers" and technical holes in computer security are the biggest part of the problem. They aren't; they're just the most dramatic ("romantic"?) and visible parts. When we get serious about security and crime, we'll attack them at the roots ... but unfortunately, that will be much more difficult than anything we've done so far. Will someone please get in touch with me if there appear any signs that this may happen? ---Pete Kaiser%JAWS.DEC@decwrl.arpa, Kaiser%BELKER.DEC@decwrl.arpa {allegra|decvax|ihnp4|ucbvax}!decwrl!dec-rhea!dec-jaws!kaiser DEC, 77 Reed Road (HLO2-1/N10), Hudson MA 01749 617/568-5441
emks@uokvax.UUCP (12/20/84)
/***** uokvax:net.unix-wizar / decwrl!kaiser / 7:50 pm Dec 17, 1984 */
Study after study done by the nation's law-enforcement agencies shows that the
greatest money losses from crime come from white-collar crime committed by
trusted insiders. ... People abuse their privileges ... [guilt trip] ... and
misuse their resources in criminal ways. Some persons profit from this,
deliberately. They are criminals. Most are never detected, much less caught,
tried, or convicted of their crimes.
If we absolutely stopped all irresponsible hacking ... and completely plugged
every conceivable technical hole in computer security, the amount of security
gained, the amount of crime halted, would be a trivial part of the true total
of computer crime and breaches of security and privacy.
So we shouldn't ... be seduced into thinking that [hackers] and technical
holes in computer security are the biggest part of the problem. They aren't;
they're just the most dramatic and visible parts. When we get serious about
security ..., we'll attack them at the roots ... but unfortunately, that will
be much more difficult than anything we've done so far....
---Pete
/* ---------- */
Boy, can I ever echo what Pete just said!
I think that the computer center's site management team (probably in an effort
chiefed by the data security manager) should look at the risk potential based
on things like the type of data handled, what sort of access is granted to
which people, and so forth.
Cheap ideas like the DoD's "two-man" rule in areas regarded "no-lone" would
probably deter much of the irresponsible actions on the part of those with
access to the system console and accounts with special privileges.
But one must also weigh the potential risk against the hassle (the old
"bennies versus loss" argument). I don't think that our site administrators
here at the University of Oklahoma would be thrilled pink if they had to
be accompanied into the machine room by another knowledgeable person (and
the same procedure for each "su"). Now, our site administrators are human
and, just like that Northrop guy arrested by the FBI, probably pretty
consciencious--under most circumstances. I think it would be a really good
idea for centers to adopt rules like "two-man," but prepare for revolt!
One of the weakest areas in the area of management selection is that of
an individual's background. DoD is one of the few agencies that actually
has a decent background investigation--and for good reason. But most
companies are unwilling to do much of anything to determine the trust-
worthiness of employees which, in a real sense, are sometimes given the
most sensitive of corporate or personnel information. [Examples abound:
E-Mail might contain inside info. about stock deals, engineering data about
a proprietary project information about which the computer manager might not
have any need, etc., ad nauseum]
What can be done about this?? Sigh. I think that the only way companies
will change is to have losses, to wit. "take it in the shorts."
/\
/ \ Have a safe holiday season...
/ \ We wouldn't want you to miss NEWS!!!
------
||
kurt
derek@sask.UUCP (Derek Andrew) (12/28/84)
> One of the weakest areas in the area of management selection is that of > an individual's background. DoD is one of the few agencies that actually > has a decent background investigation--and for good reason. But most > companies are unwilling to do much of anything to determine the trust- > worthiness of employees which, in a real sense, are sometimes given the > most sensitive of corporate or personnel information. > > What can be done about this?? Sigh. I think that the only way companies > will change is to have losses, to wit. "take it in the shorts." Just wanted to point out that companies are forbidden by law to do complete background checks on people. Things like Human Rights Commission in Canada or the American Civil Liberties group would have a field day in court with that! In Canada, you cannot ask for a person's birthday unless they are under 20 (I think) or close to retirement age. Sex is right out. Some questions as to previous employment are okay unless it was in a foreign country (race discrimination). I believe that the employer may ask for a social insurance number (note the word employer is not prefixed by prospective). I am not faulting human rights legislation, it is needed, but it sure gets in the way of security screening. By the way, people like DND (DoD) are exempt from human rights legislation. -- Derek Andrew, ACS, U of Saskatchewan, Saskatoon Saskatchewan, Canada, S7N 0W0 {ihnp4 | utah-cs | utcsrgv | alberta}!sask!derek 306-966-4820 0900-1630 CST
brian@uwvax.UUCP (Brian Pinkerton) (12/28/84)
> Just wanted to point out that companies are forbidden by law to do complete > background checks on people. Things like Human Rights Commission in Canada > or the American Civil Liberties group would have a field day in court with > that! What would constitute a complete background check? Here are some of things I might do if I were in the position of hiring someone for a security sensitive job. Are they illegal? - use references from previous employers to locate and talk to former co-workers and managers. - also, use educational references to find out what the person was like in school. - run a credit check. this is apparently pretty easy to do, judging from the recent plethora of news on the subject. - ask the FBI for hints. I recently heard a talk given by a local agent who strongly advised that they be consulted, even if just for a criminal record check. They can also provide suggestions on where to go for more information. (this sounds like a bloody advertisement!) There are probably many other things you could do to gain even more insight into a prospective employee's life (psycological profile, anyone?). Such things take time, effort, and connections; I could sympathise with an employer who wanted to avoid the hassle, but if I were to give someone root on my corporate/banking/whatever machine I sure as hell would check them out. brian -- Brian Pinkerton @ wisconsin ...!{allegra,heurikon,ihnp4,seismo,sfwin,ucbvax,uwm-evax}!uwvax!brian brian@wisc-rsch.arpa
emks@uokvax.UUCP (01/07/85)
/***** uokvax:net.unix-wizar / sask!derek / 11:14 pm Dec 27, 1984 */ Just wanted to point out that companies are forbidden by law to do complete background checks on people. Things like Human Rights Commission in Canada or the American Civil Liberties [Union] would have a field day in court with that! In Canada, you cannot ask for a person's birthday unless they are under 20 (I think) or close to retirement age. Sex is right out. Some questions as to previous employment are okay unless it was in a foreign country (race discrimination). I believe that the employer may ask for a social insurance number (note the word employer is not prefixed by prospective). I am not faulting human rights legislation, it is needed, but it sure gets in the way of security screening. By the way, people like DND (DoD) are exempt from human rights legislation. -- Derek Andrew, ACS, U of Saskatchewan, Saskatoon Saskatchewan, Canada, S7N 0W0 {ihnp4 | utah-cs | utcsrgv | alberta}!sask!derek 306-966-4820 0900-1630 CST /* ---------- */ Unfortunately, you're probably right. I might point out (wordsmithing) that companies are not legally forbidden from performing background checks, but civil rights legislation prohibits them from performing certain acts which would tend to violate an employee's civil rights. (BTW, I am not very familiar with Canada's legal system, so my comments may not be very useful) I'm not a legal eagle, but I suspect you could do a bit more checking if you first established some things like this: o That the position to be filled was "sensitive." The definition of the word "sensitive" should be defined more clearly by attorney- types. o The person should understand the exact extent of the investigation, its purpose, weight in the selection process, and the propriety/use of the information. o That the person would consent, in writing, to an investigation of the same magnitude which was described. o That the investigation is made on all applicants, and not just this one. o That clear limits for "acceptable," "to be individually adjudicated," and "failed" results are used without regard to the individual under investigation. o And that the applicant would be qualified for less sensitive positions in the company/organization if he/she declined to allow the investigation, or its results were unacceptable. Does anyone out there have any ideas/experience in a non-DoD environment? Gee, the National Security Act of 1947 makes it so EASY... Have fun. kurt