Are Background Checks Necessary For IT Workers?

January 29, 2007 from Information Week – “When UBS PaineWebber hired Roger Duronio as a full-time systems administrator in 1999, it didn't do a background check on him. An investigation likely would've turned up a police record that included burglary and aggravated assault convictions in the 1960s, drug charges in 1978 and 1980 for which he wasn't convicted, and a drunken driving case in the 1990s.

Those records were filed by the U.S. District Court in New Jersey's Probation Office ahead of last month's sentencing of Duronio, 63, convicted this summer of computer sabotage and securities fraud. In 2002, Duronio unleashed a "logic bomb" on UBS' computer systems that crashed 2,000 of the company's servers and left 17,000 brokers unable to make trades. It cost about $3.1 million to fix. UBS didn't disclose the damage from lost business.

Duronio's criminal past is the kind of information most employers need to know, especially if they're hiring someone who will have access to key systems and applications. Duronio was one of about 40 people with the company's highest computer security clearance, according to court documents, and he had root access to the system.

UBS PaineWebber, renamed UBS Wealth Management USA in 2003, did background checks on a selective basis in 1999, but not on Duronio when he went from being a contractor to a full-timer, a company spokeswoman says. Now the company checks all full-time, part-time and temporary workers, she says.

That's good policy. "You better consider how important IT is," says Alan Paller, director of research at the SANS Institute (www.sans.org). "Consider if you could keep on doing business if someone inside hit you with a logic bomb," he says. "If you can't, you should think about background checks."

Would a background check have turned up Duronio's record? At I&T sibling publication InformationWeek's request, investigation firm Fairfax Group found most of the information in the probation report within four days using only public records, and some within 24 hours. Such a search would cost about $500, or about $250 if the person provided a waiver and information such as a Social Security number, says Fairfax Group president Michael Hershman.

Thirty percent of insiders who launch system attacks have criminal records, says Dawn Cappelli, a senior member of Carnegie Mellon University's CERT security response team, citing a 2006 study. In that study, 73 percent of companies did background checks, compared with just 48 percent in the 2005 study.

Companies just starting to do checks on job candidates also should do checks on current employees, says Ken van Wyk of Alexandria, Va.-based information security consulting firm KRvW Associates. But be open about it, and make sure people understand why it's necessary, he says.

IT and HR managers also need to discuss beforehand what's acceptable past behavior and what isn't, says Howard Schmidt, a former White House security adviser who's now CEO of R&H Security Consulting. "If someone had a DUI 20 years ago, or they were arrested for marijuana in the '60s, you check the circumstances," Schmidt says. "Was it a drinking problem, or was it one night out celebrating a birthday? It's the repeating of a failure to comply with the rule of law that I would be looking for."
Schmidt warns that background checks are no guarantee. But in fighting insider threats, more companies are deciding they're worth the time and expense.

180 View - While insiders aren't the most common security problem, they can be among the most costly and the most damaging to a company's reputation. Insider attacks against IT infrastructure and data are among the security breaches most feared by both government and corporate security pros.

Lawrence Young (an associate of 180 Systems) has always done background checks on the people he employed in the past. Lawrence says that the degree of checking, including using a third party investigation agency, varies with the job the individual is being hired to perform. In fact, Lawrence made every employment offer conditional upon receiving a satisfactory background check, and advised the potential employee that he may use a third party investigation agency.

Investigation agencies typically provide written reports including details on an individual’s education, past employment, lifestyle habits, and encounters with ‘the law’ if any that would otherwise be difficult for the typical employer to gain access to.

Lawrence also strongly suggests that all system access be revoked immediately when an IT employee is terminated. While that may sound obvious, research shows that about half of all insider attacks take place between the time an IT employee is dismissed and his or her user privileges are taken away.