Does your company’s Human Resources Department complete background checks and reference checks on employees? Is it documented in the employee manual? Many companies are compelled to complete these checks if they are healthcare providers, defense contractors, or children services providers, but other companies don’t want to spend the time or money to complete background checks. Regardless of company size or industry, employers should carefully screen IT personnel, and at a minimum, complete at least three reference checks. If your company is hiring someone to perform info sec duties such as implementing user access controls or analyzing IDS/IPS logs, your company better know what kind of person he or she is.
A recent story in the Register illustrates what can go wrong when employers are not familiar with employees’ backgrounds and personal character. John Kenneth Schiefer of Los Angeles was working as a Info Sec consultant to L3 Communications while stealing thousands of online bank passwords. He was stealing online IDs and passwords by controlling a massive botnet while he was at work! Schiefer admitted that he was the hacker “Acid” or “Acidstorm” who had built a botnet army of 250,000 zombies. He build such a large botnet by bullying underage hackers to steal passwords via his malware.
Not only was Schiefer engaged in illegal activity while at work, as an Info Sec professional, he challenged the court to allow him to continue working as security consultant. If the hiring consulting company would have completed a background check and reference check on Shiefer, they would learn that Shiefer also committed his offenses while on parole on a prior conviction.
Based on the facts it looks likely Schiefer could face a substantial time in prison, said Mark Rasch, a former federal cyber prosecutor who is now a computer crimes specialist in Bethesda, Maryland. “It seems to me that this kind of activity, which is deliberate, willful, harmful, malicious and where he is the leader of the activity and brings in other people to help him do it, there doesn’t seem to be a lot of saving grace here. “If this guy was allowed to be a security professional, it really destroys the reputation of other security professionals.”
If you are reading this, take action and convince your company to do background checks and reference checks on all employees. Your reputation as an Information Security professional could depend on it.