When flexible working met outsourcing

One ‘enterprising’ employee in the US last week reminded us of one the basic truths of IT security. Logicalis CEO Ian Cook looks at what happened when flexible working met outsourcing.

At first glance, it is hard to know whether to applaud the audacity and inventiveness, or gasp at sheer breadth of the deceit.  Last week, details emerged of an extra-ordinary security breach in the US – a breach very much of its time, a meeting of flexible working and outsourcing.

In short, a well respected employee at a US form found a way to outsource his work to a consulting firm (possibly a network of consulting firms) in China.  As the BBC reported:

“A security check on a US company has reportedly revealed one of its staff was outsourcing his work to China.

“The software developer, in his 40s, is thought to have spent his workdays surfing the web, watching cat videos on YouTube and browsing Reddit and eBay.

“He reportedly paid just a fifth of his six-figure salary to a company based in Shenyang to do his job.”

<img class="size-medium wp-image-530" title="Going as far as atoledo to FedEx his RSA security token to China!” alt=”Going as far as to FedEx his RSA security token to China!” src=”http://www.cxounplugged.com/wp-content/uploads/2013/01/url-300×165.gif” width=”300″ height=”165″ /> Going as far as to FedEx his RSA security token to China!

How is this possible?  As it turns out, rather easily.  The employee simply gave his Chinese contacts access to his employer’s VPN – even going as far as to FedEx his RSA security token to China, thus allowing third-party subcontractors to log in using his credentials during the working day.

His employer had, by all accounts, been moving towards a telecommuting environment, allowing its developers to work from home more and more, and had put in place a “fairly standard VPN concentrator” around two years previously.  Astonishingly, however, the Facebook-loving employee had been operating his scam almost from the beginning, and his actions only came to light when multiple VPN connections from China were spotted on VPN logs many months later.

Whether you think the scam ingenious, devious or dangerous it serves as a handy reminder of one of the basic rules of security – a security system is only as strong as its weakest link.  Unfortunately, that weakest link is very often, as in this case, human.

It could be argued that the scam should have been sported sooner – and that is certainly true.  Any organisation operating a VPN should be either manually or automatically scanning logs for anomalous activity, something that would sure have stopped this scam in its tracks.

On the other hand, the employee’s cunning plan was so outlandish and audacious, maybe his employer can be forgiven.  After all, it’s the things hidden in plain sight that are often hardest to spot.

Next week, what lessons have been learnt about disaster recovery after Super Storm Sandy?

Ian Cook

About Ian Cook

Ian Cook is Executive Chairman of Logicalis Group. He joined Logicalis as CEO, European Operations in 2003 and became CEO of Logicalis Group in March 2007, transforming the organisation to become an international brand and a respected partner of the major technology vendors. Logicalis Group has consistently grown turnover and profit as well as improving business efficiency ratios under Ian’s direction.

In March 2014, Ian stepped down to become Executive Chairman of Logicalis Group after 7 years of leadership. Ian has extensive experience in the technology industry spanning more than 25 years. He joined Logicalis from Damovo where he had extensive involvement in their international operations as COO.

Prior to Damovo in 1990, Ian led the Board of Cablestream which became Siemens Network Systems Ltd (now Affiniti), one of the UK’s leading network integrators. Over a 10 year period at SNSL he rose to Group Managing Director responsible for operations across Europe. Previously he was Sales & Marketing Director at Case Communications Ltd, a manufacturer of data communications equipment with operations in the UK, USA and Asia Pacific.
This entry was posted in Managed Services, Outsourcing Services, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>