Security's Hard Knocks

[InfoSec News <isn () C4I ORG>]

http://networkcomputing.com/1201/1201colfeldman.html

January 8, 2001
By Jonathan Feldman

My pop would sometimes despair at having to teach his seven scalawag
children good work habits; he complained that we could learn only at
the school of hard knocks.

A few months ago, I learned a hard lesson about hiring practices. My
colleagues and I found ourselves with a technician who just wasn't
working out. The fellow was habitually late and didn't take
responsibility seriously so we said goodbye. End of story. Or so we
thought.

Next thing we knew we got a call from a police officer who frequently
works with us. "You know that guy who was working for you?" he asked.
"Well, he's got a criminal record as long as my arm. Didn't you run a
background check?" Whoops. Now that's a security problem, isn't it?
Not quite as sexy as the latest IIS exploit, but bad enough.

Turns out we only thought we had run a background check. More
accurately, we got a verbal OK from someone in human resources who was
either overworked or taking too much cold medicine that day. We
accepted it instead of waiting for written authorization from our
background-check source because we were understaffed and anxious to
hire. After we hired the guy, following up on the written
authorization was quickly forgotten and, in the end, the paperwork was
never received.

Memo to self: Be more careful with background checks. Make sure you
get more than a verbal authorization. Go to the source -- don't rely
on an intermediary.

How can you go to the source, you ask? Inquire with local law
enforcement. Frequently, background checks can be done for citizen
businesses both inexpensively (where I live, it costs five bucks -- a
pittance well spent) and authoritatively.

Are background checks sufficient to prevent bad hires? Heck, no!
There's another lesson to keep in mind. Twenty years ago, I ignored a
tough spot on a wall and forced a nail through a pipe. With water
streaming everywhere, I shouted, "I'll never do that again!" to which
my pop retorted, "Big picture, Jonathan. You've got to think big
picture!"

The Big Picture

Obviously, criminal background checks in and of themselves aren't a
foolproof screening method. Not every crook has a record, and every
thief has a first outing. So our procedural lesson in background
checks does not necessarily mean we'll never hire another person with
a criminal record. We can only asymptomatically approach perfection;
we cannot actually reach it.

The big-picture lesson here is that our business does not afford the
luxury of getting sloppy with anything. Security must be a gestalt,
not merely applicable to specific procedures. Getting sloppy with even
one thing may mean our other, more careful security preparations are
in vain.

Similarly, if we are meticulous and avoid shortcuts, security can
sometimes take care of itself. Witness October's critical IIS patch
(www.microsoft.com/technet/security/bulletin/ ms00-078.asp). One quiet
Friday afternoon, someone spilled the beans: There was a potential
root-level vulnerability in IIS. It had been discussed on BugTraq, and
Microsoft announced it was now time-critical to apply a previously
released patch.

Meticulous administrators who had applied the patch at the time of its
release (www.microsoft.com/technet/security/bulletin/ms00-057.asp)
partied that Friday night, while other administrators cancelled their
plans in order to attend the School of Hard Knocks.

As writer Shmuley Boteach, who paraphrases an old Hassidic aphorism,
puts it, "The difference between a wise man and a clever man is that
the clever man can extricate himself from a situation in which the
wise man would never have gotten himself involved in the first place."

How do we foster wisdom other than through hard knocks? You tell me.


Jonathan Feldman is technical systems manger for the Chatham County
Government in Savannah, Ga. Send your comments on this column to him
at jf () feldman org.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".