Roger Duronio, a former UBS PaineWebber Inc. systems administrator, was charged this week with planting a logic bomb on the financial-services company's network, once again highlighting the difficulties businesses face in securing systems from insiders who turn bad.
Federal prosecutors say Duronio bought UBS put options with the hope that the company's stock price would fall as a result of damage caused by the logic bomb, which is software code designed to harm computer systems. On March 4, the indictment contends, the bomb went off and damaged files on more than 1,000 of UBS's computers.
Duronio is being charged with securities fraud and one count of computer-related fraud, carrying a combined maximum sentence of 20 years prison and fines of more than $1.25 million. The logic bomb allegedly deleted files and led to $3 million in costs for PaineWebber to assess and repair the damage.
Chief security officers say it's very difficult to protect business-technology systems from trusted employees. "If someone on the inside is brazen enough, there's not much you can do. You've got to trust people," says a security officer at a major financial-services firm.
There have been plenty of examples in recent months of insiders and former employees committing computer crimes. Last month, federal investigators said they thwarted the largest identity-theft ring in U.S. history. It was led largely by a person who had access to customer credit reports and reportedly victimized more than 30,000 people, with losses expected to exceed $2.7 million. In September, a San Dimas, Calif., man pleaded guilty to illegally accessing the computer systems of his former employer to gain competitive advantage after taking a job with a rival firm.
Security and business-technology managers view attacks over the Internet as their greatest threat. For the fifth year in a row, respondents to the Computer Security Institute/FBI Computer Crime and Security Survey cited the Internet as the most frequent point of attack: 74% cited the Internet, while 33% cited internal systems.
Yet, "companies aren't spending enough, or doing enough, to protect their systems," says Mark Rasch, former head of the Justice Department's computer-crimes unit and senior VP and chief security counsel for security vendor Solutionary Inc. "It's still mostly just talk. The bad news is it's going to take a catastrophic event" to get companies to take security seriously, and Rasch believes that such an event "is going to happen."
And it may be caused by insiders, those who know a company's systems and weaknesses and can inflict serious damage. Solid technology, tough policies, and tight control over systems changes are needed to protect a company's electronic assets from malicious employees, security experts say.
"It's a matter of strong change control," says Peter Tippett, vice chairman and chief technologist for security-services company TruSecure Corp. "When it comes to administrators with access to servers, you have to have them watch each other. It should take two administrators present for any changes to the system." All server changes need to be logged to separate systems that the administrators can't access and change, Tippett says. "You start doing that, and they'll know they'll get caught. It's a deterrent."
That advice looks good on paper, says the chief security officer at a consumer-goods manufacturer in New Jersey. "I barely have the staff to keep up on maintenance and patches," he says. "I can't afford to have two administrators at every server for every update."
Still, it might be cheaper than dealing with the damage caused by a disgruntled staffer or former employee. While no company can totally protect its systems, especially from insiders, aggressive policies can cut the risk. "It will still happen from time to time," Tippett says. "But you can greatly reduce the likelihood."