Hmmmm... The other night I watched the movie Outsourced[^] from 2006. At one point the main character meets another American in a fast food restaurant in India and he tells him a story exactly like this.
"When you don't know what you're doing it's best to do it quickly" - Jase #DuckDynasty
No need to apologize, sorry if I came across strong. I read securityblog.verizonbusiness.com regularly, so seeing it misquoted was a bit shocking. I’ve listened to these guys at a conference & have a ton of respect for them. I’ve always heard about lazy journalism, just never been able to see a side-by-side comparison.
Anyways… food for thought: How might Bob have avoided getting caught?
1. Actually worked from home and letting them tunnel via his laptop and ADSL line.
2. Not keeping invoices on his work PC.
3. Definitely shouldn't have browsed the web so much during working hours on work PC.
Points 2 and 3 alone would already have made the difference in repudiating the "preposterous" claim that he would outsource his own work.
I was thinking something similar. Having Bob’s contractor VPN directly into his company was stupid. China would (and did) easily stand out during even a simple audit. He should’ve setup a VPN in his home and used it as a relay/proxy. Since he was approved to work from home the logs would’ve appeared normal.
Playing this one level deeper… Bob still could’ve been caught because his work box is probably Windows and he probably would’ve used a Linux variant for the relay/proxy. (Windows is the path of least resistance for most businesses and a Linux relay/proxy would be the cheapest for home users.) TPC/IP packets sent from Linux are different than Windows and can usually be passively identified. The catch is who would willingly bring down that level of pain upon themselves. Bob would’ve needed to raise other red flags in order for an average company to undertake that level of detail.
Key take away: log everything… and actually review them.