A practical guide to computer security Part 4

July 19, 2005

Contracted Employee

Today, many positions within a company are outsourced to contractors or consultants. These people have a different relationship with the company from its employees and therefore need different controls.

Definitions of appropriate behavior and the scope of their duties should be made contractually. Contractors are not bound by employee policies and procedures. The contract with the contractor defines what he/she can and cannot do.

Contracted employees are often granted access to systems like regular employees, but they often lack the commitment to the employer. They may find that hacking a system is a way to make a fast buck, or they may be unhappy with their job and just want to cause trouble. They are also targets of competitors who want to gather internal company information. Sometimes, just being refused a raise is enough to set them off.

A former subcontractor named Anonymous had worked for several years as an instructor for Dan Keller Technical Services, a technical training business. In the spring of 1998, he asked for an increase in his billing rate, which was refused.

*Anonymous* attempted to hack his way into the company network and bombarded it with literally hundreds of e-mails, many containing threats. Other activities by *Anonymous* included supplying Dan Keller’s e-mail address to a variety of Internet sign-up lists for e-mail from retailers, alumni associations, etc., the purpose being, presumably, to cause a flood of junk e-mail. He also forged an e-mail message in which Keller “confessed” to owing him a lot of money.

*Anonymous* six-month rampage finally ended when the court granted a restraining order. He seems finally to have gotten the message and hasn’t contacted Keller since. [3]

[3] Keller, Dan, “Hackers on the Internet: The Threat Is Real!, ” www.keller.com/attack/, September 1999.

Indirectly Contracted Employee

Most companies are located in a building which is shared by other tenants. The building will often provide certain shared services such as building security, office cleaning, business equipment repair, and utilities maintenance. Building owners will contract out these services to companies with which your company has no association.

Your company has very little control over these indirect contractors. There is a legal, contractual relationship with the facilities owner who in turn has a contract with them, but any actions have to follow this indirect path.

However, these indirectly contracted employees will require access to your facilities to provide their services, usually outside of regular business hours. In fact, these people may come and go so regularly that their presence is not noticed and without going through the normal security process.

These type of services companies often express their trustworthiness by being bonded and insured. This may offer some financial relief, but rarely is it useful in response to a computer crime. Their employees are often low-paid workers, who are targeted by computer criminals.

A U.S. defense contractor, subcontracted with a foreign firm for onsite contractors. These foreign contractors were allowed access only to the areas of the premises that were necessary to their duties. However, they used their knowledge of the company’s computer system to access other areas of the company’s computer network, which were off limits to non-U.S. employees. The foreign contractors were able to access proprietary and potentially classified information regarding the U.S. company’s government contracts. Their activities jeopardized the competitiveness of the company and posed a potential threat to U.S. national security. [4]

[4] “Statement of Louis J. Freeh, Director Federal Bureau of Investigation,” Senate Select Committee on Intelligence, 28 January 1998.

Posted in WhitePapers