New insider threat?

TalkBack 1 of 2:

Next »

• Thread View
• Flat View

I concur

It was very refreshing to see that someone else "gets it" regarding internal security. The fact is, about 70% or so of security breeches occur from within the firewall. Outsourcing your process doesn't change this, it just means that you're counting on someone else to reduce that 70% number instead of doing it yourself.

A little story:

At my very first job (WaWa convenience stores), I busted my butt and eventually was given a big promotion to shift manager. In addition to my previous duties, I was also responsible for taking inventory, stocking shelves, and was given a key to a portion of the safe in order to retrieve coins. The whole safe was off limits, but there was always about $1,000 in coins and smaller bills in the area I could access. In exchange for this burden (hey, I got to be the guy the robbers point the gun at!) I got... an extra dollar an hour. $35 or so per week to be in a position to rig inventories and rip the place off blind, stage a robbery, steal from the safe, etc. See a problem here?

IT is the same way. Anyone with root access can shut your entire business down. Sometimes for good. They can steal your crucial data, rig payroll systems, do all sorts of things that will devestate your company. And then you turn around a tell this person that you are freezing their salary for four years, meanwhile the CEO is getting annual raises of 20%? Anyone familiar with the BOFH series of stories knows that there is way too much truth in the jokes.

Background checks are false security at best. They weed out the truly stupid wannabe criminals, and prevent you from hiring someone who may have just made a dumb mistake in their youth. The really scary criminals are the ones that have never been caught. They have squeaky clean backgrounds. The vast majority of computer crime goes detected; most of what is detected goes unpunished and the criminal is never caught. To think, "well, this guy passed a background check, so he is A-OK" is delusional.

The fear of the insider threat is a great incentive to NOT outsource. Third party vendors lie to their customers about the qualifications of their employees as a rule (I have had managers instruct me to claim to have certifications that I did not actually have if customers ever asked, for example). What makes you think that they are going to be on the ball in terms of watching the potential insider crooks? At least when the person is working for you, you know when they roll up to the office in a Porsche when you know you are giving them a Chevy salary.

J.Ja

Posted by: Justin James   Posted on: 04/28/06 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Open Standards Technologies Provide the Ingredients for Delivering Security Across the Papa Gino's Enterprise Dell Papa Gino's Holdings Corporation founded by the entrepreneur operates one ... Download Now
• Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
• Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now