If you examine these cases and the vast number of computer security violations committed over the past few decades, you will find one common characteristic: 100% of them were caused by people. Break-ins were caused by people. Computer viruses were written by people. Passwords were stolen by people. Without people, we wouldn't have computer security problems! However, we continue to have people involved with computers, so we need to be concerned with personnel security.
"Personnel security" is everything involving employees: hiring them, training them, monitoring their behavior, and sometimes, handling their departure. Statistics show that the most common perpetrators of significant computer crime are those people who have legitimate access now, or who have recently had access; some studies show that over 80% of incidents are caused by these individuals. Thus, managing personnel with privileged access is an important part of a good security plan.
People are involved in computer security problems in two ways. Some people unwittingly aid in the commission of security incidents by failing to follow proper procedure, by forgetting security considerations, and by not understanding what they are doing. Other people knowingly violate controls and procedures to cause or aid an incident. As we have noted earlier, the people who knowingly contribute to your security problems are most often your own users (or recent users): they are the ones who know the controls, and know what information of value may be present.
You are likely to encounter both kinds of individuals in the course of administering a UNIX system. The controls and mechanisms involved in personnel security are many and varied. Discussions of all of them could fill an entire book, so we'll simply summarize some of the major considerations.
When you hire new employees, check their backgrounds. You may have candidates fill out application forms, but then what do you do? At the least, you should check all references given by each applicant to determine his past record, including reasons why he left those positions. Be certain to verify the dates of employment, and check any gaps in the record. One story we heard involved an applicant who had an eight-year gap in his record entitled "independent consulting." Further research revealed that this "consulting" was being conducted from inside a Federal prison cell - something the applicant had failed to disclose, no doubt because it was the result of a conviction for computer-based fraud.
You should also verify any claims of educational achievement and certification: stories abound of individuals who have claimed to have earned graduate degrees from prestigious universities - universities that have no records of those individuals ever completing a class. Other cases involve degrees from "universities" that are little more than a post office box.
Consider that an applicant who lies to get a job with you is not establishing a good foundation for future trust.
In some instances you may want to make more intensive investigations of the character and background of the candidates. You may want to:
In general, we don't recommend these steps for hiring every employee. However, you should conduct extra checks of any employee who will be in a position of trust or privileged access - including maintenance and cleaning personnel.
We also suggest that you inform the applicant that you are performing these checks, and obtain his or her consent. This courtesy will make the checks easier to perform and will put the applicant on notice that you are serious about your precautions.