Re: Rogue Corporate or Tip of the Iceberg?
Here's one from the trenches from about 7 years back.
An announced 'audit' of some of our systems was carried out by an external IT consultancy, now, to explain what the SOP was, at that point we were operating under having something like 80% of the computers managed by two external companies, call them DHX and DHY, and the remaining 20%, in-house. We were having issues with viruses getting into the system, and they had decided that the machines run by DHX were the most probable vectors (turns out they were very wrong, amusingly so, in fact. someone who shouldn't have had admin rights on the DHY machines had demanded them, and was given them - he was doing everything as admin for months)
The audit was carried out of the machines maintained by DHX, and, Lo!, it came to pass that there was much malware installed, at least, according to their report. They recommended all sorts of fun and expensive things be installed and maintained by DHZ, a security specialist firm.
What they and our PHBs didn't know, we'd carried out our own audit both prior and post theirs (call me a suspicious and cynical bastard..ours was carried out on the Sunday, theirs on the Monday, our second one late Monday evening), so, after reading their report, I lobbed our report of the state of the machines on the day before and after their audit to the PHBs and asked them to get their consultants to explain the discrepancies.
I do so like shitstorms..fraud is such a loaded word to lob into an already heated conversation.