C.4 Security Personnel 313
Appendix C
C.4 Security Personnel
C.4.1 Coping with Insider Threats
According to a Gigalaw report [5], an internal security breach occurs when
an employee of a company uses the company’s information system without
authorization or uses it in a way that exceeds his or her valid authorization.
The author states that in 2001, the American Computer Security Institute
surveyed a large number of corporations, medical institutes, and govern-
ment agencies about serious security breaches of their computer systems,
such as the theft of proprietary information, financial fraud, denial-of-ser-
vice attacks, and the sabotage of data or networks. The findings were star-
tling. More than 70 percent of respondents reported these kinds of attacks
as having occurred from inside the company, while only 25 percent
reported system penetration from outsiders.
Employees, who often occupy positions of trust, have the greatest access
to information within the organization. They have the greatest potential to
exploit information sources or sabotage computer systems for personal gain.
Insider acts involve unauthorized viewing or use of information, and the
unauthorized entry or alteration of data to produce false transactions and
tamper with information systems. Handlesmann [6] advocates that
“employers must acknowledge the risks of unauthorized access and com-
puter fraud by employees and put in place monitoring systems and preven-
tative measures that address these risks.”
While an employee who commits an attack will often face criminal pros-
ecution, the employee’s company may also find itself the subject of a civil
lawsuit. A significant danger exists in regard to insider e-security breaches.
If an employee misuses a company’s data systems to commit electronic
fraud or cause damage or loss to third parties, the company may be held
(vicariously) liable for the acts of its employee. The standard test for vicari-
ous liability is that the employee’s action must have been committed in the
course and scope of the employment. It is important to note that in the course
and scope of employment is a broad term for which there is no absolute legal
definition. However, case law (in Australia) has established a few guiding
principles. Handlesmann cites the following:
Where an employer authorizes an act, but it is performed in an
improper or unauthorized manner, the employer will still be held
liable.
314 C.4 Security Personnel
It does not matter that an employee is unauthorized to perform an
act, and the mere fact that an act is illegal does not bring it outside
the scope of employment.
Even though unauthorized access or computer fraud by an employee
is an act that lies outside the employee’s scope of employment, this
does not automatically exclude the employer from vicarious liability.
It is not necessarily an answer to a claim against an employer that the
wrong done by the employee was for the employee’s own benefit.
Much of the computer fraud committed by employees can be averted if
employers implement an effective security policy that puts in place mea-
sures targeted at prevention, ongoing monitoring, and recovery strategies in
the case of breach. Monitoring may detect problems in progress and allow
the possibility of aborting a process before any serious damage is done.
C.4.2 How to Identify Competent Security Professionals
It is always a good idea to understand what areas and applications of secu-
rity are most in demand when trying to find competent staff. Some of these
areas include perimeter management, intrusion detection, forensics, fire-
walls and VPNs, and internal information security. Sounds like all the basic
areas of security, right? Well, it is! Security is a diverse field and it covers a
lot of territory. When looking for people for your organization’s needs, you
need to know as much as possible about the organization before you go
headhunting. Then, and only then, will you know what to look for in find-
ing competent people. To find these people, one needs to consider, What are
the basic things people seeking information security jobs should know?
When hiring entry-level or nonsenior security engineers, education and
training play a much bigger role. This indicates a strong level of effort to
stand out from the crowd and hone skills in a particular area. Look for cer-
tifications and similar indicators of professional training and qualification.
However, once you get past six to eight years of experience, when looking
for management level security professionals, certifications are less important
than experience. This does not mean you should ignore certifications, but
they should be considered as a secondary factor. For example, would you
rather have a security engineer with a certification less than a year and less
than six years of experience of industry experience, or someone without the
certification but with twelve years of hands-on, in-the-dirt security consult-
ing experience? It is your call, of course, but we encourage looking at the
Get Business Continuity and Disaster Recovery for InfoSec Managers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
