Personnel Security:

Personnel Security:

Copyright(c), 1990, 1995 Fred Cohen - All Rights Reserved

One of the most common techniques for determining and limiting the expected loss of a system is through the use of personnel security techniques, techniques whereby the behavior of individuals may be predicted, observed, and defended against.

In many instances inadequate background checks have resulted in massive losses. A typical personnel attack is the introduction of an expert as an employee into a competitors company in a relatively low level position. A typical protection decision is that the least knowledgeable user is given the most privileged access (e.g. an operator). By introducing a knowledgeable attacker in such a position, it is typically very easy to get access to nearly all of a facility's information in a matter of days. These employees are typically trained for less than a week before assuming full responsibility, and are typically left alone, or nearly alone, on long overnight shifts. This is an ideal opportunity to launch an attack.

Typically, before hiring employees, some sort of background check is done to verify qualifications for the position. The easiest way to reduce the risk from such an attack is to perform a thorough background check on each employee before hiring. A typical background check should involve determining and verifying all employment and other activities over an extended period prior to the present time. This should include contacting immediate supervisors at all previous jobs, contacting the central offices of all prior employers to verify claims of job title, etc. To protect high risk resources, personal interviews with neighbors at all previous addresses and employers should be performed, arrest records should be checked, etc. There are many private detective agencies that perform such checks as a routine matter, and if the cost of such an investigation is warranted, it should be performed.

An interesting and inexpensive way to verify the integrity of employees or potential employees is the use of handwriting analysis. Most people are unaware of the fact that an analysis of handwriting can be used to assess the personality of many individuals. In cases where the individual being tested has expertise in handwriting analysis, such techniques can be bypassed, and people taught to write under very strict educational systems may have particular writing styles which were forced upon them as youths, but for the most part, handwriting analysis can provide considerable insight at very low cost.

In order for handwriting analysis to be effective, it is necessary to attain a copy of a few sentences or more of handwritten text in the hand of the person under test. If particular personality profiles are desired, the questions addressed by this writing may be chosen to augment the analysis. Once the sample is attained, the writing may be analyzed by examining factors such as the slant of letters, loops and distances below and above the normal line of characters, etc. In court cases, handwriting comparisons have been used to identify individuals, but a far more interesting application is the search for personality changes that may indicate extreme stress or other significant personality changes. This analysis can be done by regularly attaining handwriting samples and analyzing their changes over time.

The use of historical and psychological profiles in the definition of the desired employee for a particular position is often quite useful in getting employees with a 'good match' to the companies requirements and desires. Unfortunately, many employers use this as a basis for discriminating against individuals that might be substantially beneficial. Great care must be exercised in the use of these techniques to assure that enough variety is present within an organization to allow it to survive changes in the environment in which it is to exist. Many employers perform extended interviews with potential employees because they have found that the expense of an extra day or two of interviews is far less than the cost of hiring an employee who doesn't work out because of insufficient information in the hiring process.

Once an employee has been hired, it is important to perform sufficient indoctrination in the area of information protection to assure a clear understanding of the policies to be adhered to, the procedures for adherence, and what happens in the case of non adherence. In many organizations, this information is not made clear from the outset, and is the basis for misunderstanding on all sides. Proper training is also necessary to assure that the employee is competent to carry out the procedures required to implement protection policies.

In most companies, insufficient education and awareness of protection is available, and this causes significant problems in the enforcement of policy. As an example, most employees don't understand that a password can be attained by looking over a shoulder, and don't think about this problem in their day to day behavior. Regular updates and practice runs of procedures have been found effective in increasing assurance of protection mechanisms.

Two conflicting management areas are the maintenance of a climate of honesty, and the use of surveillance in an attempt to assure proper behavior. It is hard to operate in a surveiled environment without feeling a certain degree of paranoia, and it is not uncommon for people operating under these conditions to become so adherent to rules that they refuse to entertain creative ideas. The problem of a group of people who adhere to dogma rather than expressing their creativity is that they stagnate, and the organization in which they operate becomes less innovative as a whole. This is clearly counter to the concept of intellectual honesty in which ideas are evaluated on the basis of their merits rather than their adherence to dogma. It is also hard to feel honest in an environment where your honesty is always under question. It makes people quite defensive, and stifles any effort to act as an individual.

In several states the use of computers for surveillance is becoming subject to legal restriction because of their use to scrutinize employee behavior in oppressive ways. In several cases, computerized records of phone calls have been used to force employees to answer a certain number of phone calls per minute. Typist records are often used to assure that a nominal number of pages are produced per day. Programmer accounts are sometimes checked to assure that a certain number of lines of code are produced per day. These things have their place and can be quite effective management aides when used in a reasonable manner, but there is a tendency for abuse that has led to legal actions.

The firing of employees for protection or performance related problems has often led to disaster. Several cases have occurred wherein employees in the EDP environment have planted 'time bombs' so that if they were fired, computer systems would fail to operate after a prescribed period of time. The use of good OS protection techniques can only protect against this in limited ways. Often procedural requirements are implemented by the management so that information which is shared with the rest of the community is subjected to integrity verification by another employee. In this way, we can assure that a collusion is required in order to allow such an activity to cause damage.

It is always important to eliminate access to an employee's computer accounts, office safes, etc. during or before the meeting in which the employee is fired, in order to assure that further damage is limited. This tends to produce bad feelings by ex-employees who feel that the employer didn't trust them. This should be explained as a standard precaution dictated by company policy so that it depersonalizes the activity, and thus limits bad feelings.