When UBS PaineWebber hired Roger Duronio as a full-time systems administrator in 1999, it didn’t do a background check on him. An investigation likely would’ve turned up a police record that included burglary and aggravated assault convictions in the 1960s, drug charges in 1978 and 1980 for which he wasn’t convicted, and a drunken driving case in the 1990s.
Those records were filed by the U.S. District Court in New Jersey’s Probation Office ahead of last month’s sentencing of Duronio, 63, convicted this summer of computer sabotage and securities fraud. In 2002, Duronio unleashed a “logic bomb” on UBS’ computer systems that crashed 2,000 of the company’s servers and left 17,000 brokers unable to make trades. It cost about $3.1 million to fix. UBS didn’t disclose the damage from lost business.
Duronio’s criminal past is the kind of information most employers need to know, especially if they’re hiring someone who will have access to key systems and applications. Duronio was one of about 40 people with the company’s highest computer security clearance, according to court documents, and he had root access to the system.
UBS PaineWebber, renamed UBS Wealth Management USA in 2003, did background checks on a selective basis in 1999, but not on Duronio when he went from being a contractor to a full-timer, a company spokeswoman says. Now the company checks all full-time, part-time and temporary workers, she says.
That’s good policy. “You better consider how important IT is,” says Alan Paller, director of research at the SANS Institute (www.sans.org). “Consider if you could keep on doing business if someone inside hit you with a logic bomb,” he says. “If you can’t, you should think about background checks.”
Would a background check have turned up Duronio’s record? At I&T sibling publication InformationWeek’s request, investigation firm Fairfax Group found most of the information in the probation report within four days using only public records, and some within 24 hours. Such a search would cost about $500, or about $250 if the person provided a waiver and information such as a Social Security number, says Fairfax Group president Michael Hershman.
Thirty percent of insiders who launch system attacks have criminal records, says Dawn Cappelli, a senior member of Carnegie Mellon University’s CERT security response team, citing a 2006 study. In that study, 73 percent of companies did background checks, compared with just 48 percent in the 2005 study.
Companies just starting to do checks on job candidates also should do checks on current employees, says Ken van Wyk of Alexandria, Va.-based information security consulting firm KRvW Associates. But be open about it, and make sure people understand why it’s necessary, he says.
IT and HR managers also need to discuss beforehand what’s acceptable past behavior and what isn’t, says Howard Schmidt, a former White House security adviser who’s now CEO of R&H Security Consulting. “If someone had a DUI 20 years ago, or they were arrested for marijuana in the ’60s, you check the circumstances,” Schmidt says. “Was it a drinking problem, or was it one night out celebrating a birthday? It’s the repeating of a failure to comply with the rule of law that I would be looking for.”
Schmidt warns that background checks are no guarantee. But in fighting insider threats, more companies are deciding they’re worth the time and expense.