Verizon Security Blog har publisert et merkverdig tilfelle av outsourcing. Det er de spesielle som er de beste.
La oss gå gjennom historien:
The scenario was as follows. We received a request from a US-based company asking for our help in understanding some anomalous activity that they were witnessing in their VPN logs. This organization had been slowly moving toward a more telecommuting oriented workforce, and they had therefore started to allow their developers to work from home on certain days. In order to accomplish this, they’d set up a fairly standard VPN concentrator approximately two years prior to our receiving their call.
In early May 2012, after reading the 2012 DBIR, their IT security department decided that they should start actively monitoring logs being generated at the VPN concentrator. (As illustrated within our DBIR statistics, continual and pro-active log review happens basically never – only about 8% of breaches in 2011 were discovered by internal log review). So, they began scrutinizing daily VPN connections into their environment. What they found startled and surprised them: an open and active VPN connection from Shenyang, China! As in, this connection was LIVE when they discovered it.
Så Verizon har gått igjennom VPN-loggene til et selskap de ikke vil nevne med navn, av gode årsaker. Alt vi får vite er at de er et U.S. critical infrastructure company. Det er critical som gjør hele saken så utsøkt.
Plainly stated, the VPN logs showed him logged in from China, yet the employee is right there, sitting at his desk, staring into his monitor.
Hvem er så denne mannen de kaller ‘Developer-Bob», som kan være i Kina via VPN og sitte ved pulten sin i USA – samtidig?
Employee profile –mid-40’s software developer versed in C, C++, perl, java, Ruby, php, python, etc. Relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator. For the sake of case study, let’s call him “Bob.”
Det viser seg at «Bob» rett og slett har outsourcet jobben sin til Kina for $50 000. Arbeidet som kommer inn via hans VPN-konto får han betalt over $250 000 for. Genialt?
Bob spent less that one fifth of his six-figure salary for a Chinese firm to do his job for him. Authentication was no problem, he physically FedExed his RSA token to China so that the third-party contractor could log-in under his credentials during the workday. It would appear that he was working an average 9 to 5 work day. Investigators checked his web browsing history, and that told the whole story.
A typical ‘work day’ for Bob looked like this:
9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos
11:30 a.m. – Take lunch
1:00 p.m. – Ebay time.
2:00 – ish p.m Facebook updates – LinkedIn
4:30 p.m. – End of day update e-mail to management.
5:00 p.m. – Go home
Tilsynelatende en absurd vinn-vinn for ‘Bob’. HR ante nemlig ingen ting.
For the last several years in a row he received excellent remarks. His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building.