One ‘enterprising’ employee in the US last week reminded us of one the basic truths of IT security. Logicalis CEO Ian Cook looks at what happened when flexible working met outsourcing.
At first glance, it is hard to know whether to applaud the audacity and inventiveness, or gasp at sheer breadth of the deceit. Last week, details emerged of an extra-ordinary security breach in the US – a breach very much of its time, a meeting of flexible working and outsourcing.
In short, a well respected employee at a US form found a way to outsource his work to a consulting firm (possibly a network of consulting firms) in China. As the BBC reported:
“A security check on a US company has reportedly revealed one of its staff was outsourcing his work to China.
“The software developer, in his 40s, is thought to have spent his workdays surfing the web, watching cat videos on YouTube and browsing Reddit and eBay.
“He reportedly paid just a fifth of his six-figure salary to a company based in Shenyang to do his job.”
How is this possible? As it turns out, rather easily. The employee simply gave his Chinese contacts access to his employer’s VPN – even going as far as to FedEx his RSA security token to China, thus allowing third-party subcontractors to log in using his credentials during the working day.
His employer had, by all accounts, been moving towards a telecommuting environment, allowing its developers to work from home more and more, and had put in place a “fairly standard VPN concentrator” around two years previously. Astonishingly, however, the Facebook-loving employee had been operating his scam almost from the beginning, and his actions only came to light when multiple VPN connections from China were spotted on VPN logs many months later.
Whether you think the scam ingenious, devious or dangerous it serves as a handy reminder of one of the basic rules of security – a security system is only as strong as its weakest link. Unfortunately, that weakest link is very often, as in this case, human.
It could be argued that the scam should have been sported sooner – and that is certainly true. Any organisation operating a VPN should be either manually or automatically scanning logs for anomalous activity, something that would sure have stopped this scam in its tracks.
On the other hand, the employee’s cunning plan was so outlandish and audacious, maybe his employer can be forgiven. After all, it’s the things hidden in plain sight that are often hardest to spot.
Next week, what lessons have been learnt about disaster recovery after Super Storm Sandy?