Ethical hacking is one technique organizations can use to ensure employee data is secure
When Mike Kolasa walked into a police station in Ontario, he thought he would encounter a fairly sophisticated electronic security wall protecting the reams of information flowing through the computer systems.
Kolasa, a security engineer at Markham, Ont.-based MetaSecure, had been hired by the police service to come in and conduct penetration testing, also known as ethical hacking, to see how secure data was from prying eyes.
What he found amazed him and left the local police chief a little pale in the face. All of the sensitive information, including material like Canadian Police Information Centre data, Interpol, criminal databases and records were travelling across the network unencrypted in plain text.
“People could just walk in, plug in and view that information,” said Kolasa. “I could have gone in there and created a criminal record for you and combined that criminal record with actual evidence. It was pretty easy to do.”
It’s a scenario that could be repeating itself in organizations, leaving sensitive employee data on human resource management systems (HRMS) vulnerable to a wide range of abuse, such as exposing compensation for individuals and identity theft.
As more organizations embrace HR technology and offer self service to employees, so too grows the risk that information will fall into the wrong hands either through carelessness or by hackers keen to pry open HR databases.
And while the information technology department bears the responsibility for security, the employee data in the HRMS is the responsibility of the HR department, which also has a large role to play in ensuring proper steps are taken to protect data, said Keith D’Sousa, senior manager of information security services at consulting firm KPMG in Toronto.
“HR’s role is to secure the information that they have in place,” said D’Sousa. “In the past when you had printed documentation that was fairly easy to secure.”
But since data is now moving all over the place, flowing across internal networks and over the Internet with the advent of self service, things are a bit trickier. HR needs to ask how secure the information is and what type of information is being transmitted.
“It’s not unusual for an employee to update their employee information but it may not be encrypted internally and that is something HR needs to think about,” said D’Sousa. “It is very possible to internally sniff out that information and pick it up.”
Compared to other departments, D’Sousa said HR is above average when it comes to dealing with security issues. That’s because HR has always had the mandate to protect employee data and keep much of it confidential. And as technology began to take hold, many firms took the positive step of keeping HR and payroll systems separated from the rest of the network.
“That being said, it’s not always necessarily the case,” said D’Sousa. “It’s not unusual to have the main server or the mainframe that has not just the business applications but the employee applications on them as well. So it might be possible that if you were to compromise a system, you would compromise all of the data on that system, including employee data.”
Another advantage for HR is that employee data isn’t a very enticing target for hackers, according to Frank Rogelj, regional sales manager for ASL Consulting, a Toronto-based HR technology firm. But that doesn’t mean firms can be lax about ensuring adequate measures are in place.
“If you’ve adopted best practices, the likelihood of someone hacking into your system is pretty low,” said Rogelj. “If you’re doing SSL (secure socket layer), firewalls and encryption, there would be a great deal of time invested by the hacker to get in. There just isn’t a significant gain in hacking into HRMS records like there is in hacking into a financial institution to steal credit card numbers.”
The internal threat
While the image of an anonymous hacker hunched over a computer busting into the corporate system is frightening, the real threat to organizations comes from within. According to a recent survey, 75 per cent of organizations cited disgruntled employees — both former and current — as the most likely source of attacks. The study, conducted by the Computer Security Institute in 2002, surveyed 503 computer security practitioners in large U.S. organizations. And the vast majority — 90 per cent — said there had been some sort of security breach in their organizations.
Anthony Cina, a product manager for managed security services at AT&T Global Services Canada, said one of the things many organizations fail to do — either through a lack of proper policies or just a lack of communication — is to cancel access when an employee leaves.
“That’s one thing that is frequently missed, or takes too long to happen,” said Cina. “When employees leave the company, their authorization or password or user ID are never revoked. They need to do a better job to make sure everything is cancelled and all their access is taken away.”
HR also needs to ensure policies are reviewed regularly to ensure they keep up with the mind-boggling pace of technology.
“Security approaches and technology approaches that were completely acceptable five years ago are completely useless today,” said Kolasa. “The rules have changed, the media has changed, the way people use computers has changed. Many more people know how to use computers, and therefore many more people have the knowledge to be able to hack.”
The recent surge in wireless networks being adopted in the corporate world is opening a new door for hackers, who can literally drive around town looking for hot spots where they can connect to the Internet or break into corporate systems.
“It used to be war dialing, where you would take a dialer and dial phone numbers to try to get into phone systems,” said D’Sousa. “But now we have war driving, where somebody is literally driving by attempting to pick up a signal.”
Laptops equipped with cheap wireless network cards can pick up signals and let users access the network the same way an employee would be using it inside the office, depending on how the wireless network is configured. Sophisticated hackers can use state-of-the-art equipment to drive around a city and map out all of the wireless hot spots.
Kolasa, a security engineer at Markham, Ont.-based MetaSecure, had been hired by the police service to come in and conduct penetration testing, also known as ethical hacking, to see how secure data was from prying eyes.
What he found amazed him and left the local police chief a little pale in the face. All of the sensitive information, including material like Canadian Police Information Centre data, Interpol, criminal databases and records were travelling across the network unencrypted in plain text.
“People could just walk in, plug in and view that information,” said Kolasa. “I could have gone in there and created a criminal record for you and combined that criminal record with actual evidence. It was pretty easy to do.”
It’s a scenario that could be repeating itself in organizations, leaving sensitive employee data on human resource management systems (HRMS) vulnerable to a wide range of abuse, such as exposing compensation for individuals and identity theft.
As more organizations embrace HR technology and offer self service to employees, so too grows the risk that information will fall into the wrong hands either through carelessness or by hackers keen to pry open HR databases.
And while the information technology department bears the responsibility for security, the employee data in the HRMS is the responsibility of the HR department, which also has a large role to play in ensuring proper steps are taken to protect data, said Keith D’Sousa, senior manager of information security services at consulting firm KPMG in Toronto.
“HR’s role is to secure the information that they have in place,” said D’Sousa. “In the past when you had printed documentation that was fairly easy to secure.”
But since data is now moving all over the place, flowing across internal networks and over the Internet with the advent of self service, things are a bit trickier. HR needs to ask how secure the information is and what type of information is being transmitted.
“It’s not unusual for an employee to update their employee information but it may not be encrypted internally and that is something HR needs to think about,” said D’Sousa. “It is very possible to internally sniff out that information and pick it up.”
Compared to other departments, D’Sousa said HR is above average when it comes to dealing with security issues. That’s because HR has always had the mandate to protect employee data and keep much of it confidential. And as technology began to take hold, many firms took the positive step of keeping HR and payroll systems separated from the rest of the network.
“That being said, it’s not always necessarily the case,” said D’Sousa. “It’s not unusual to have the main server or the mainframe that has not just the business applications but the employee applications on them as well. So it might be possible that if you were to compromise a system, you would compromise all of the data on that system, including employee data.”
Another advantage for HR is that employee data isn’t a very enticing target for hackers, according to Frank Rogelj, regional sales manager for ASL Consulting, a Toronto-based HR technology firm. But that doesn’t mean firms can be lax about ensuring adequate measures are in place.
“If you’ve adopted best practices, the likelihood of someone hacking into your system is pretty low,” said Rogelj. “If you’re doing SSL (secure socket layer), firewalls and encryption, there would be a great deal of time invested by the hacker to get in. There just isn’t a significant gain in hacking into HRMS records like there is in hacking into a financial institution to steal credit card numbers.”
The internal threat
While the image of an anonymous hacker hunched over a computer busting into the corporate system is frightening, the real threat to organizations comes from within. According to a recent survey, 75 per cent of organizations cited disgruntled employees — both former and current — as the most likely source of attacks. The study, conducted by the Computer Security Institute in 2002, surveyed 503 computer security practitioners in large U.S. organizations. And the vast majority — 90 per cent — said there had been some sort of security breach in their organizations.
Anthony Cina, a product manager for managed security services at AT&T Global Services Canada, said one of the things many organizations fail to do — either through a lack of proper policies or just a lack of communication — is to cancel access when an employee leaves.
“That’s one thing that is frequently missed, or takes too long to happen,” said Cina. “When employees leave the company, their authorization or password or user ID are never revoked. They need to do a better job to make sure everything is cancelled and all their access is taken away.”
HR also needs to ensure policies are reviewed regularly to ensure they keep up with the mind-boggling pace of technology.
“Security approaches and technology approaches that were completely acceptable five years ago are completely useless today,” said Kolasa. “The rules have changed, the media has changed, the way people use computers has changed. Many more people know how to use computers, and therefore many more people have the knowledge to be able to hack.”
The recent surge in wireless networks being adopted in the corporate world is opening a new door for hackers, who can literally drive around town looking for hot spots where they can connect to the Internet or break into corporate systems.
“It used to be war dialing, where you would take a dialer and dial phone numbers to try to get into phone systems,” said D’Sousa. “But now we have war driving, where somebody is literally driving by attempting to pick up a signal.”
Laptops equipped with cheap wireless network cards can pick up signals and let users access the network the same way an employee would be using it inside the office, depending on how the wireless network is configured. Sophisticated hackers can use state-of-the-art equipment to drive around a city and map out all of the wireless hot spots.
