Introduction
The problem
Why my company should I care about this?
The numbers
What can we do?
Introduction
There is no doubt that the Information security industry is growing fast, companies all over the world are implementing security policies and infrastructure mainly either for compliance or need, either way, in order to do that, they need people with INFOSEC skills, which by the way, there has been a market boom lately, where you see a lot of “Security Experts” in the market, anyways, in lieu of getting the right people into XYZ company, the process generally starts at the HR department, where based on their internal processes if they have one, create a job posting in the corporate web site or hire a head hunter company to do so, the latter is not very commonly used, why? As you may have guessed, the cost.
Companies generally are looking for cutting costs wherever they can, and one of these areas is the HR hiring processes, obviously hiring a head hunter company to get the right people is more expensive than interviewing people on their own, but one of the problems they face is regarding to how are they publishing the job postings?
The problem
What it comes down to, is related to the type of information the HR people is publishing publicly on Internet in the job postings, the problem is not focused in just one country, for this research, I took a sample of 150 job posting divided in 3 countries, thus 50 job offers by country, the ones selected were: USA, Germany and Chile. Key question is how much insight information am I able to post publicly for a job opening? And here is the problem, based on the research I have done, most of the postings contain information that can be classified as critical IT infrastructure components or processes.
Why my company should I care about this?
As you may already know, hackers have been working lot lately, so one of the things, it is being done as first step before trying to accomplish any legal/illegal act, is called passive fingerprinting, where basically they go online and research as deep as they can on the target company in order to get as much information as possible. Here is where the job posting come into play, what kind of information can they get from them?: Company processes, IT Infrastructure, Internal Lingo, Operating systems, security infrastructure components, protection methods, and much more. By publishing all this information and based on the information gathering processes, several techniques can be implemented to achieve hacking activities, such as: Remote attacks, Client side attacks, social engineering, etc, putting your company at risk.
The numbers
The sample I worked, was 150 job posting divided as follows (USA: 50, Germany: 50, Chile: 50), the method used to collect this information was completely manual, thus, going to public job search web sites and going through the posts, I analyzed the information gathered as follows:
What can we do?
HR processes should be in line with the corporate security policy, however, even though companies with strong corporate security policy, lack of basic understanding of how serious is the type of information they are giving away.
As part of the corporate policy, Internet job posting should be reviewed by the BISO and/or SME, since for the first step in any hiring process, should not be necessary to publish all the technical details but if that is the case, you may think of outsourcing your hiring process and keep it anonymous.