Are Background Checks Necessary For IT Workers?

4foot10 writes "UBS PaineWebber learned a hard lesson after hiring an IT systems admin without conducting a background check. Now its ex-employee is slated to be sentenced for launching a 'logic bomb' in UBS' computer systems that crashed 2,000 of the company's servers and left 17,000 brokers unable to make trades."

Just another advertisement

"What do you know about your own people?" asks Alan Paller, director of research at the SANS Institute, a security firm. ...nuff said.

Ask yourself this question

[Bryansix]

Would you like your email to be read by someone you don't even know? Well that is what could happen if you hire a SysAdmin and do not conduct a background check. I know that I would actually prefer if my name was run through a background check so that management can actually trust me instead of always wondering.

Re:Ask yourself this question

[paeanblack]

Employer-run background checks are not the way to go here. Just get your workers bonded for some amount of money commensurate with the damage they can cause. Bonding agencies have been around for centuries and have experience in this field that the typical firm's HR department does not.

Basically, you pay $smallnum, and if $guywithaccess does $badthing, you get paid $bignum to cover your expenses. Let someone guess the odds.

Re:Ask yourself this question

[dave562]

I can't speak for HP India, but as an IT consultant who keeps Exchange running for a lot of large firms I can tell you that Exchange isn't as insecure as some of the FUD here would have you believe. By default, Domain Admins are EXPLICITLY DENIED rights to users mailboxes. If you grant yourself those rights, it will be logged. For that matter, even the Exchange Administrator account is set default deny when it comes to reading other people's emails.

Re: Ask yourself this question

[gidds]

Those figures mean absolutely nothing without corresponding figures from good employees.

If exactly 0% of good employees have arrest records, then an arrest record would be a pretty good indicator of malicious intent; while it wouldn't allow you to catch the other 70% of baddies, it would give you pretty conclusive evidence against that 30%.

If, on the other hand, the records for good employees were the same (which I suspect is closer to the truth), then an arrest record (or lack of one) would tell you absolutely nothing about an employee's trustworthiness.

And if the records for good employees were generally higher than for bad ones, then an arrest record would be an indicator in FAVOUR of hiring, not against!

So, worrying as those numbers might sound, they're utterly meaningless here without some context and background!

Re:Ask yourself this question

[toadlife]

What the last poster said.

To expand a bit, it's about privilege separation and auditing. Windows, and every other network OS supports it in some form or another.

With Windows and Exchange, the reset of a password or the change of an ACL on a users mailbox can be set up to trigger an audit event in the security portion of the event log. The exchange administrator can be denied the right to clear (or even view) the security event logs and/or the event logs can be piped out to an external server that only a third party can access. The clearing of the security even log on a system adds an event that says "so and so cleared the event log".

In the past I've enable auditing on policy changes on our Windows DCs - not because someone was hacking - but because someone in the department was changing GPOs without first discussing it with others and causing problems.

Of course, with enough access, someone who is sufficiently bright could probably get around such measures with kernel hacking/root kitting, but if someone has enough access to do those things then, proper privilege separation isn't being practiced in the first place.

Re: Ask yourself this question

[arivanov]

Yes I have been denied jobs because my credit score wasn't high enough.

Ha-ha. You are also as likely to be denied a job if it is too good.

Happened to me the one of the few times when I was stupid enough to apply for a bank job. I run a very tight household - no debts besides mortgage (and even that on an accelerated repayment), no credit taken for anything else (my cars are always bought with a money transfer, same for furniture and everything else), no late payments ever, no missed payments ever. And guess what - I failed the credit portion of background check. It looked to non-standard for them and they decided that I probably have some clandestine hidden income to be able to do this (I learned that from an insider much later).

So at least some US banks actually like to see their employees comfortably deep in debt. Just in case so that they do not develop too much independence. Anyway, I have learned the lesson and stick to telecoms now where the background check is mostly limited to references.

No guarantee

[homer_ca]

"a 2006 study showed that 30% of insiders who are caught launching an attack against their employers have arrest records, and that those charges don't generally include computer crimes."

That means a background check won't catch 70% of the malicious insiders. This article is meaningless without info about the rates of attacks from insiders who would've passed or failed background checks. It's a reasonable hypothesis to say that IT workers with criminal records are more likely to launch insider attacks, but there's no scientific evidence of it in this article. It's all fluff based on one person's case.

Re:No guarantee

[GigsVT]

That logic is flawed.

Same logic: Per capita, more black people commit crimes than white people, therefore, black people are more dangerous to hire.

Backgroud checks are needed for some IT workers

But for this case, they had bigger problems.

No organization that large should technolgically empower a single person to be able to do that much damage without some sort of review process that would have caught the problem.

Did his changes get reviewed by his peers?

Did they go through some sort of QA process?

While it's a bit scary that they hired a criminal, that's hard to avoid in any large organization.

What's really *really* scary is that their internal processes let him do that much damage. I'd be worried if I were their customer.

What was the cause?

[AK+Marc]

Prosecutors charged that Duronio, angry over not receiving as large a bonus as he had expected, sought revenge against his employer [... who] spent about $3.1 million to assess the damages and restore the computer systems, [... and] haven't reported how much was lost in business downtime.

In retrospect, it appears that the entire event, as well as the financial damages and the hit to the company's reputation, could've been avoided if UBS PaineWebber, a giant in the financial community, had done a background check on Duronio when he had been hired.

And I see the problem as being caused by a lack of bonuses in IT. Prevent logic bombs, give your IT workers large bonuses!

(I'm talking to you, boss)

Been there, done that

[k4]

Yes, of course admins with the ability to wreak major havoc at an organization should have to undergo background checks. Several years ago I worked at a Fortune 500 company, and there were no background checks done at all for IT staff. Turns out we hired a guy who used a fake name and someone else's social security number, and he worked as one of our main sysadmins for over a year, with privileges on probably 100 servers and full privileges on the email servers, before he was caught. I thought background checks were a waste of time until that...scared me half to death because no one had any idea what he'd done in all that time, and worse, no idea who he actually was.

Background Checks and Credit Checks for IT

[michael.j.jarvis]

This is something that has affected me in the past year, while trying to get a job in the industry. I can completely understand background and credit checks, but at the same time, many perspective employers do not even give me a chance to explain myself, or the reason things came up. Granted, I'm only 24, and people see me as some damn kid who wants to show off to his friends, but that is completely opposite of what I'm there to do. I can understand that perspective employers see several arrests as a juvenile, and I'm instantaneously blacklisted. My credit has gone to shit too, especially after a messy divorce that has drug on for way too long.
Ok, so I know I'm going to get modded down on this, but it's something that is really never spoken about. True, it can affect the job search for many of us, but I support having background checks, on the condition that we the person being investigated be offered a chance to explain ourselves, and to not become prospective employee investigation # 54283. /end rant

How would it have helped?

[Christopher_Edwardz]

How would burglary and assault (um... 47 YEARS AGO) lead to logic bombs? (From the OP) How would this have helped?

From the article:

Using only publicly available information, Hershman found three incidents, including drug-related charges from 1980 and a tax violation, within 24 hours. Within three or four days, he says investigators found information on a conviction and incarceration from the early 1960s related to aggravated assault and burglary charges. A presentencing[sic] report from the Probation Office in U.S. District Court also lists charges against Duronio from the 1960s, 1970s, 1980s, and 1990s.

So... basically, 27 years ago this guy had a drug case, and more than 40 years ago had an aggravated assault and burglary charge. From this they were supposed to deduce that this guy was going to logic bomb them?

Or, according to TFA and Hershman, this would've been enough for them not to hire him at all or just for computer work? He doesn't say. I've worked in firms that would refuse to hire you if you had anything on your record.

Please note here that Mr. Hershman sells this service and I am not so sure that he would be considered unbiased.

Here is some guy that would have been penalized for something he did 40 years ago?

Talk about 2nd class citizens. Do they understand that over 2% of the population is in prison and a considerable portion of people living today have been in prison or convicted of some offense at one point or another?

One of the engineers I hired had a drug conviction, but it was clear that she was recovering and this was a good opportunity for her. That was several years ago. Do I feel bad about that? Of course not.

I understand why companies feel the need to do criminal background checks to absolve themselves of a possible lawsuit. (They are culpable if they hire an ax-murderer just released from prison and he axifies some people.)

I believe that some of this is designed to find a chink to break down an employee so he/she will accept less in salary.

"Hmm... you have bad credit. Oh look, you also have some speeding tickets. Now, how much did you say you wanted for the privilege of working here?"

Criminal background checks should be used judiciously in sensitive positions. IT is probably one of those... but companies shouldn't just rubber-stamp anyone with a conviction a "no hire".

Re:Don't see the point...

[JimBobJoe]

Is there any evidence that there is a correlation between that and long-past criminal convictions that aren't closely related to the kind of damage they later do?

I do background checks for a living.

I wouldn't go as far to say that it's snake oil, but I definitely think it's oversold by so-called security types.

I think they are most useful in predicting some types of violent behavior. In my experience, an individual who gets charged and convicted with domestic violence in their 50s almost always has a dozen speeding tickets, a criminal trespass conviction and maybe a disorderly conduct charge for good measure. Background checks might be useful to predict this type of potential behavior.

On the other hand, people who commit murder or sexual offenses (whether it's in their 20s, 30s, 40s or 50s) won't even have a parking ticket in their name. I feel like they just snap one day. So in this regard, background checks are worthless.

Theft and burglury and related charges are 95% of the time committed by those under 25. It just doesn't come up later in life. Background checks can be misleading in this regard.

Background checks that go back 30 or 40 years are pretty expensive (as noted in the article) and unusual. If you did your crime in the 70s I'm guaranteed not to find it.

My biggest issue is that background checks are hugely dependent on our judicial system, which doesn't operate as "cleanly" as the credit rating system, but for some reason, is treated as if it did.

Money used in defense plays a huge role in things. An extra grand or two on a lawyer might very well be the difference between being offered a plea bargain to misdemeanor 1 Theft, and being offered a plea bargain to misdemeanor 4 unauthorized use of property with the prosecutor agreeing to expunge the case in a year. (Whereas the credit rating system keeps all the records out there, what keeps criminal records around in the judicial system might have very little to do with the crime perpetrated.

How the state legislature enacted laws plays a huge role, though one the security companies like to dismiss. For instance, my state of Ohio has probably the nation's most liberal marijuana possession laws--anything under 100g is a minor misdemeanor, maximum fine $100--and no public record.. In quite a lot of states the same posession is a high level misdemeanor with jail time and obviously, a public record.

Does that mean that two people who've been cited for marijuana possession (same quantity), one in a state like Ohio with no public record, and another in a state with a public record will be treated very differently by companies because of their records? Absolutely. But that neither strikes me as fair or particularly logical--after all, the companies nor the security firms really ever sit down and realize that they are dependent on the state for the information--and that different laws in different states cause different information outcomes. They just use whatever information they have against the job candidate.

Re:background checks are worthless

[vought]

If anything, a psychological profile would be the proper approach.

And with a failure rate of about 20% (according to my headhunter) these personality tests keep a lot of good people out of jobs.

But I suppose we're all supposed to prostrate in front of the almighty corporation. God forbid companies take risks or put in place mitigation strategies so that rogue employees can't bring the whole place down.

Did they make Ken Lay take a personality test? What about Jeff Skilling? I suspect they would have been found ideal based on the types of questions on these tests - which tend to focus on attention to detail, attitude, and trust in coworkers. Yet these men ruined the livelihoods of thousands with their greed. But personality tests don't probe for greed or concern for others (at least not the ones I've taken). They're also pretty invasive, asking about a prospective employee's personal life.

The personality test I took was at a company in Baton Rouge, Louisiana. My friends back in Silicon Valley couldn't believe some of the questions that were on the test, and would "just have walked out". But I need a job, so I took the test. It said I wasn't gregarious enough and a something of a solitary worker. So despite a director-level assurance that they wanted to hire me, the personality test made the hiring decision for them.

Personality tests are measurements based on what companies think they want to know - and this isn't truly useful information. A "loner" might be able to accomplish more, faster, than folks who are sociable and who hang out at the coffee pot for several minutes a day, but according to the Caliper test, these people aren't good fits at most companies.

I think that based on these simple observations, personality tests (and by extension, background checks) are less useful than they're billed as being.