Are you a job recruiter or head hunter? If so, you maybe unknowingly helping the hacker attack the company you’re trying to help. Have you ever interviewed a candidate that didn’t seem to be qualified but asked a lot of questions about the company you’re doing the hiring for? The hacker will try to take advantage of your dire need to quickly hire someone and extract information not readily found online. Does this tactic sound familiar? Maybe sound like social engineering?
When a company is on the prowl for new employees, hackers are watching and choosing there next target. Online job websites like “dice.com” is a treasure trove of information for a hacker and the recruiters provide the rest. Companies divulge confidential information about their company and share this information to job websites and head hunters. To the average person, the information being shared doesn’t seem to be confidential. What people don’t understand is that a company’s information given either verbally or online, may assist the attacker in filling in the gaps of missing information. The evil is in the details and you may want to think twice before adding those details.
Below is an example job posting found on dice.com for a “System Administrator”:
The information that’s highlighted in yellow would be very useful to a hacker as they scope out the company that posted the job position. This little information could be used to validate findings or move an attacker into a more refined direction. The average hacker can take these puzzle pieces and assemble them, get an idea of how your infrastructure is comprised, and if chosen, prepare for the attack.
When posting a job position on the public internet, here are a few recommendations:
- Be less detailed in your requirements. (Ex. Listed “Windows and Linux OS”, change to “multiple operating systems”)
- Provide in-depth details further down the interview process to reduce the risk of disclosure
- Instead of listing multiple products from the same vendor, just list the “VMware Solutions” and provide details later if required.
- Do not list programing languages unless it’s absolutely required for the position.
- If detailed like the above example is required to find the right candidate, then conceal the name of the company and provide the information later in the interview process.
The goal is to stop aiding the hacker and play some defense. If the hacker doesn’t know you have Windows operating systems, then they would have to try and figure it out on their own. Think before you post and keep the evil out of the details.
OUR SECURITY SERVICES INCLUDE:
- Risk Assessments
- Penetration Testing
- Web Application Testing
- Security Awareness Training
- Managed SIEM
- Managed Security Services (MSSP)
- Security Consulting