For a different take on this story, check out Carl Weinschenk’s post, “This Bob’s Not a Builder.”
Have you heard about the guy now known as “Developer Bob”? He’s the guy who outsourced his job at a critical infrastructure company to someone in China for a fraction of his own pay. Developer Bob came to work each day and got sterling performance reviews for work that someone else was doing, and all the while good old Bob was playing around on social media sites and watching silly cat videos (someday, someone will explain to me the fascination with animal videos).
An article at Time reported that many in the working world think Developer Bob is a genius or a hero. After all, he took to the individual level what many at the corporate level have been doing: outsourcing work to China while still making a hefty income to do nothing but show up all day.
The truth is, Developer Bob should be every company’s worst security nightmare. He was a lazy employee (lazy in that he wanted to spend his days doing nothing) who apparently either didn’t care or didn’t know the risks involved with sending his work to China. After all, we know that one of the biggest security risks to a company comes from insider mistakes or purposeful attacks. Developer Bob didn’t do anything toward a purposeful attack, but he did make a big mistake: He broke a lot of security rules (giving an unauthorized user access to the network, sending his RSA token to China to allow said unauthorized user access to the network).
However, this story brings to light a major security problem for many companies: No one is monitoring network logs. In this case, Developer Bob was brought down because someone did do a security audit and noticed something wasn’t right with the VPN logs. As Help Net Security explained:
The company started monitoring logs being generated at the VPN concentrator, and discovered an open and active VPN connection from Shenyang, China, to one of their employees' workstation. What's more, they discovered evidence of the same VPN connection being established almost every day for months before.
Monitoring logs is a boring job and eats up an incredible amount of time. I know this because it is how my son got his start in the world of network security. As an intern, he spent most of his day looking for anomalies in the logs, and because he did this, the company found some security issues that would have otherwise gone undetected. However, he also told me that until he came along and suggested that those logs be checked, it was a task no one at that company had ever done or even considered doing before.
The one truism about the Internet is that nothing is private. The corollary is that once there, it is there forever. Logs are an effective way to find out what is happening on your network. It doesn’t let risks like Bob hide – unless you aren’t regularly checking them. Yes, it is one more thing that needs to fit into an already-tight security budget, but it is an ideal entry-level job or intern task. We tend to think that security needs to be focused on the big events, but we need to keep checks on the littlest things as well.
Now that an employee at a critical infrastructure company has handed his login information to someone in China, well, that’s a whole other can of worms that should give us all pause. Those people who applaud Developer Bob’s actions should also take note that this guy created a serious risk to whatever infrastructure he worked with. Anyone who is out to copy Bob may not be so lucky.