+44 (0)1753 797100 info@logicalis.com

When flexible working met outsourcing

| 28th January 2013 | No Comments

One ‘enterprising’ employee in the US last week reminded us of one the basic truths of IT security. Logicalis CEO Ian Cook looks at what happened when flexible working met outsourcing.

At first glance, it is hard to know whether to applaud the audacity and inventiveness, or gasp at sheer breadth of the deceit.  Last week, details emerged of an extra-ordinary security breach in the US – a breach very much of its time, a meeting of flexible working and outsourcing.

In short, a well respected employee at a US form found a way to outsource his work to a consulting firm (possibly a network of consulting firms) in China.  As the BBC reported:

“A security check on a US company has reportedly revealed one of its staff was outsourcing his work to China.

“The software developer, in his 40s, is thought to have spent his workdays surfing the web, watching cat videos on YouTube and browsing Reddit and eBay.

“He reportedly paid just a fifth of his six-figure salary to a company based in Shenyang to do his job.”

<img class=”size-medium wp-image-530″ title=”Going as far as atoledo to FedEx his RSA security token to China!” alt=”Going as far as to FedEx his RSA security token to China!” src=”//www.cxounplugged.com/wp-content/uploads/2013/01/url-300×165.gif” width=”300″ height=”165″ /> Going as far as to FedEx his RSA security token to China!

How is this possible?  As it turns out, rather easily.  The employee simply gave his Chinese contacts access to his employer’s VPN – even going as far as to FedEx his RSA security token to China, thus allowing third-party subcontractors to log in using his credentials during the working day.

His employer had, by all accounts, been moving towards a telecommuting environment, allowing its developers to work from home more and more, and had put in place a “fairly standard VPN concentrator” around two years previously.  Astonishingly, however, the Facebook-loving employee had been operating his scam almost from the beginning, and his actions only came to light when multiple VPN connections from China were spotted on VPN logs many months later.

Whether you think the scam ingenious, devious or dangerous it serves as a handy reminder of one of the basic rules of security – a security system is only as strong as its weakest link.  Unfortunately, that weakest link is very often, as in this case, human.

It could be argued that the scam should have been sported sooner – and that is certainly true.  Any organisation operating a VPN should be either manually or automatically scanning logs for anomalous activity, something that would sure have stopped this scam in its tracks.

On the other hand, the employee’s cunning plan was so outlandish and audacious, maybe his employer can be forgiven.  After all, it’s the things hidden in plain sight that are often hardest to spot.

Next week, what lessons have been learnt about disaster recovery after Super Storm Sandy?

Ian Cook

About Ian Cook

Ian Cook joined Logicalis as CEO, European Operations in 2003 and became CEO of Logicalis Group in March 2007, transforming the organisation into an international brand and respected partner of major technology vendors.

In March 2014, after seven years of leadership, Ian stepped down to become Executive Chairman of Logicalis Group and in March 2015 became a non-executive director on the Logicalis Board.

Ian has over 30 years extensive experience in the technology industry. He joined Logicalis from Damovo where he had wide involvement in its international operations as COO.

Prior to Damovo he led the Board of Cablestream which became Siemens Network Systems Ltd (SNSL) one of the UK’s leading network integrators. Over a decade at SNSL he rose to Group Managing Director responsible for operations across Europe.

Leave a Reply

Your email address will not be published. Required fields are marked *