MY MEMORIES OF long-dead dotcoms are of data centres bustling with young people: gurus, geeks and gnomes with the uncanny ability to mind-meld with a computer. Many of them lacked college degrees, some even high school diplomas. But from this dormant piece of economic history a new corporate security threat is rising — and it won't be detected by a firewall or fancy intrusion detection system.
In the high-flying '90s, employment was a cinch for these kids — it was a seller's market. But the tech sector has lost more than 560,000 jobs since 2001, according to the American Electronics Association. Credentials are the differentiator in a buyer's market. The brilliant young turks who apply for jobs without formal training — offering only an instinctive knowledge of computers — won't get hired as systems administrators and security experts. Perhaps they'll end up as clerical workers or night-shift operators in a call centre. The explosion, however, will come when the flame of their resentment at being underemployed is catalysed by their boredom.
In the past, geeks tolerated menial jobs because they had reasonable expectations of transfer or promotion in periods of rabid corporate hiring. In today's wispy labour market, they'll take the position because they have to eat, but prospects of upward mobility have been drastically cut by their lack of formal education.
As it becomes harder for hackers to earn a good living and long-term employment hopes fade, less traditional revenue opportunities such as corporate espionage or even sabotage may look more tempting.
Awareness of this situation helps mitigate the risk. Other preventative hiring measures include background checks for anyone with network access, and outside scrutiny of administrative routines to expose security "blind spots." For instance, internal procedures often assume that nontechies won't know how to boot from a floppy, run a packet sniffer or trap keystrokes to look for passwords.
Consider adding antihacking rules to existing acceptable use policies. Remove ambiguities and clearly state grounds for termination — regardless of motivation or damage. This list should be unique to the company but should include universal prohibitions like using someone's log-on or hooking up external storage devices such as USB drives.
Be liberal with these permissions, however, because it's a great way to sniff out trouble. Detect intruders by leaving some bait lying around such as network files with important sounding names. Another good way to tell if you're being probed is to create a restricted user account with an easily cracked password.
Cartographers add fake towns to their maps to tell if they've been plagiarised. I've done something similar with databases by adding a few fake records at the beginning, middle and end.
A good security officer also uses SMBWA (Security Management By Walking Around). It doesn't take a lengthy conversation to figure out which employees are technically savvy.
Terminated employees should be walked out immediately after they've been let go. I worked at a company once where a call centre employee was let go by HR and allowed to pack up his cubicle unescorted. Shortly afterward, we noticed an FTP session start from within the call centre. I walked over to the ex-employee's desk and found that he was dumping proprietary information from the company to an offsite server. We searched his computer and found several Trojan horses, including one hooked up to an illicit modem.
The long-term solution is to develop a pipeline for promoting staff from within. Job requisitions should be scrubbed to remove padded requirements that effectively block internal transfers. Encouraging a corporate culture of upward mobility will protect a company from internal attacks better than any automated software method. However, in the real world, assuming the worst of your coworkers — both in motivation and skill — is just as prudent as locking your car in a church parking lot.
David H. Holtzman, former CTO of Network Solutions, also worked as a cryptographic analyst with the US Navy and as an intelligence analyst at DEFSMAC.