Secret Service Veteran: Corporations Lax About 'Inside' Security
A former U.S. Secret Service agent, experienced in risk assessment and high-tech crime, says companies are doing a poor job of securing themselves from the inside out.
And they'll pay a heavy price for their careless unless they dramatically up security -- soon.
Larry Cunningham worked with the Secret Service, one of the government's top weapons against computer crime, for 20 years. While an agent there, he not only served on the Presidential Detail, he also focused on investigating high-tech fraud and computer hacking crimes.
Today, he is an international security consultant with his own company, Essential Security Strategies LLC. His clients include the International Monetary Fund, NASCAR, the Saudi Royal Family, U.S. Airways and the United Arab Emirates Royal Family.
In an exclusive interview with Datamation, Cunningham talks about mandating stringent background checks on IT professionals, refocusing network security budgets and more aggressively protecting corporate information.
Q: What's the one problem you're seeing across the board when it comes to corporate network security?
I'm seeing more insider situations than any coming from the outside. Your workers know how things are configured. They understand the political climate inside and they know the weaknesses that companies have. They might be disgruntled. They're motivated. Trade secrets can be sold to the competition. Damage can be done. We've seen these types of problems generated more from the inside than from the outside.
Q: Are companies prepared to fend off that type of attack?
An amazing number of companies are being blase about it or are putting their heads in the sand. You need to be proactive in any areas of security. Companies aren't being rigorous enough. It's very daunting to decide what the risk is in, asses that risk and allocate your resources to it. Many companies are reticent to put money into it until the problem presents itself -- unfortunately.
Q: How do you address insider-based threats?
Do more rigorous background checks. The background checks need to be structured accordingly. As you get closer to more vital pieces of the company's infrastructure, the checks need to be more stringent. Absolutely, IT workers. Everyone with that kind of access needs to be checked out. Absolutely. And not just the first-time-hire situation. You need to renew the checks every year. People change. Their motivations change. Tell people that they will be subject to a background check as a condition of employment. And get a release for a credit bureau check. They could become financially strapped and then the motivation is there for fraud or embezzlement.
Q: When doing a background check, what should you be looking for?
You look for any arrests or convictions of any crime. How would that crime affect the job? Do a local check to see if they've been arrested where they live. That information is not always sent to national databases. It's critical to check where they have lived in the past five years. Look for assault, embezzlement, and drug usage. Financial pressures spill into workplace violence issues. Are they overextended, living way beyond their means? Those kinds of things impact as well.
Q: Do you recommend to companies that they pay particular attention to who is working in their IT departments?
Checks should be strong for everybody. You're only as strong as your weakest link. But as you get to a higher level in the organization, you need to go into more depth in a background check. There are many tiers or levels. You'd want to do a very in-depth financial check on anyway involved in IT in a big way...Look for violent tendencies, financial pressures. The IT thing is such a vital part of any company. It's a good investment to look at that person more stringently. So much of your lifeblood could be compromised.
Q: Do you think most IT managers are allocating their security budgets toward the right things?
They need to be more visionary. Yes, they need to look at worms and viruses, but also their infrastructure and insider threats, and how their networks are constructed. Business partner links need to be focused on so they're not inheriting some risk or coming under risk just because of their connection with another company.
Q: Has the threat of cyber terrorism changed the way people are running their IT and security departments?
I don't think it has changed people's attitudes enough. We are more vulnerable now. They need to be more aggressive. They need to develop policies on how to minimize risk, password usage, employment agreements, bringing data into or out of the company But it's human nature that as time dissipates, memories fade. It's good to keep going with your life but you've got to remain vigilant. They won't attack us the same way again -- with planes. They might attack our infrastructure, both public and private -- networks for airports, hospitals, water distribution systems, and financials. Nearly every vital network we have in this country is connected to the Internet. Any access policies, any access vulnerabilities should be addressed more proactively.
Q: What's one thing security and network managers should do now -- before their network is attacked?
Check in with local police before anything happens. Know what their capabilities are. What can they do? When an attack is happening, you wont have time to find out what they can do. You dont want to be scrambling.
July 19, 2002
The man heading up the nation's top research institute on counterterrorism and cyber security says corporate America is vulnerable to attack, and he wants to create a team reminiscent of the Manhattan Project to tackle the problem.