Information Security News mailing list archives
Security's Hard Knocks
From: InfoSec News <isn () C4I ORG>
Date: Wed, 3 Jan 2001 21:37:08 -0600
http://networkcomputing.com/1201/1201colfeldman.html January 8, 2001 By Jonathan Feldman My pop would sometimes despair at having to teach his seven scalawag children good work habits; he complained that we could learn only at the school of hard knocks. A few months ago, I learned a hard lesson about hiring practices. My colleagues and I found ourselves with a technician who just wasn't working out. The fellow was habitually late and didn't take responsibility seriously so we said goodbye. End of story. Or so we thought. Next thing we knew we got a call from a police officer who frequently works with us. "You know that guy who was working for you?" he asked. "Well, he's got a criminal record as long as my arm. Didn't you run a background check?" Whoops. Now that's a security problem, isn't it? Not quite as sexy as the latest IIS exploit, but bad enough. Turns out we only thought we had run a background check. More accurately, we got a verbal OK from someone in human resources who was either overworked or taking too much cold medicine that day. We accepted it instead of waiting for written authorization from our background-check source because we were understaffed and anxious to hire. After we hired the guy, following up on the written authorization was quickly forgotten and, in the end, the paperwork was never received. Memo to self: Be more careful with background checks. Make sure you get more than a verbal authorization. Go to the source -- don't rely on an intermediary. How can you go to the source, you ask? Inquire with local law enforcement. Frequently, background checks can be done for citizen businesses both inexpensively (where I live, it costs five bucks -- a pittance well spent) and authoritatively. Are background checks sufficient to prevent bad hires? Heck, no! There's another lesson to keep in mind. Twenty years ago, I ignored a tough spot on a wall and forced a nail through a pipe. With water streaming everywhere, I shouted, "I'll never do that again!" to which my pop retorted, "Big picture, Jonathan. You've got to think big picture!" The Big Picture Obviously, criminal background checks in and of themselves aren't a foolproof screening method. Not every crook has a record, and every thief has a first outing. So our procedural lesson in background checks does not necessarily mean we'll never hire another person with a criminal record. We can only asymptomatically approach perfection; we cannot actually reach it. The big-picture lesson here is that our business does not afford the luxury of getting sloppy with anything. Security must be a gestalt, not merely applicable to specific procedures. Getting sloppy with even one thing may mean our other, more careful security preparations are in vain. Similarly, if we are meticulous and avoid shortcuts, security can sometimes take care of itself. Witness October's critical IIS patch (www.microsoft.com/technet/security/bulletin/ ms00-078.asp). One quiet Friday afternoon, someone spilled the beans: There was a potential root-level vulnerability in IIS. It had been discussed on BugTraq, and Microsoft announced it was now time-critical to apply a previously released patch. Meticulous administrators who had applied the patch at the time of its release (www.microsoft.com/technet/security/bulletin/ms00-057.asp) partied that Friday night, while other administrators cancelled their plans in order to attend the School of Hard Knocks. As writer Shmuley Boteach, who paraphrases an old Hassidic aphorism, puts it, "The difference between a wise man and a clever man is that the clever man can extricate himself from a situation in which the wise man would never have gotten himself involved in the first place." How do we foster wisdom other than through hard knocks? You tell me. Jonathan Feldman is technical systems manger for the Chatham County Government in Savannah, Ga. Send your comments on this column to him at jf () feldman org. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Security's Hard Knocks InfoSec News (Jan 03)