Will Hack for Food

In the high-flying ’90s, employment was a cinch for these kidsit was a seller’s market. But the tech sector has lost more than 560,000 jobs since 2001, according to the American Electronics Association. Credentials are the differentiator in a buyer’s market. The brilliant young turks who apply for jobs without formal training—offering only an instinctive knowledge of computerswon’t get hired as systems administrators and security experts. Perhaps they’ll end up as clerical workers or night-shift operators in a call center. The explosion, however, will come when the flame of their resentment at being underemployed is catalyzed by their boredom.

In the past, geeks tolerated menial jobs because they had reasonable expectations of transfer or promotion in periods of rabid corporate hiring. In today’s wispy labor market, they’ll take the position because they have to eat, but prospects of upward mobility have been drastically cut by their lack of formal education.

As it becomes harder for hackers to earn a good living and long-term employment hopes fade, less traditional revenue opportunities such as corporate espionage or even sabotage may look more tempting.

Awareness of this situation helps mitigate the risk. Other preventative hiring measures include background checks for anyone with network access, and outside scrutiny of administrative routines to expose security “blind spots.” For instance, internal procedures often assume that nontechies won’t know how to boot from a floppy, run a packet sniffer or trap keystrokes to look for passwords.

Consider adding antihacking rules to existing acceptable use policies. Remove ambiguities and clearly state grounds for terminationregardless of motivation or damage. This list should be unique to the company but should include universal prohibitions like using someone’s log-on or hooking up external storage devices such as USB drives.

Be liberal with these permissions, however, because it’s a great way to sniff out trouble. Detect intruders by leaving some bait lying around such as network files with important sounding names. Another good way to tell if you’re being probed is to create a restricted user account with an easily cracked password.

Cartographers add fake towns to their maps to tell if they’ve been plagiarized. I’ve done something similar with databases by adding a few fake records at the beginning, middle and end.

A good security officer also uses SMBWA (Security Management By Walking Around). It doesn’t take a lengthy conversation to figure out which employees are technically savvy.

Terminated employees should be walked out immediately after they’ve been let go. I worked at a company once where a call center employee was let go by HR and allowed to pack up his cubicle unescorted. Shortly afterward, we noticed an FTP session start from within the call center. I walked over to the ex-employee’s desk and found that he was dumping proprietary information from the company to an offsite server. We searched his computer and found several Trojan horses, including one hooked up to an illicit modem.

The long-term solution is to develop a pipeline for promoting staff from within. Job requisitions should be scrubbed to remove padded requirements that effectively block internal transfers. Encouraging a corporate culture of upward mobility will protect a company from internal attacks better than any automated software method. However, in the real world, assuming the worst of your coworkersboth in motivation and skill is just as prudent as locking your car in a church parking lot.