There are many thousands of companies and government agencies that advertise job openings on their Web sites. To get a sense of the number of references to jobs, try a simple request for "jobs" on the Google search engine -- it reports over 18 million results. A search for "computer security jobs" produces over 926,000 results.

Could your own organization’s security be threatened by excessive detail in your own job listings on the Web? According to Jay Krasnow, your Web site could be providing a bit too much information for your own good.

Krasnow reported on the master’s thesis he wrote in the Communications, Culture and Technology Program at Georgetown University concerning competitive intelligence (CI) from job listings on the Web. He presented his work in the student-paper session at the 23rd National Information Systems Security Conference organized by the National Institute of Standards and Technology and the National Computer Security Center of the National Security Agency. Krasnow won an award for best student paper for his presentation. ("The competitive intelligence and national security threat from Website job listings". Proceedings of the 23rd National Information Systems Security Conference: 433.)

His literature search found many reports on CI -- which reach back several thousand years -- and some on CI from job listings, some on CI from the Web, but little on CI from Web-based job listings. He collected about 300 job listings during a one-week period from the Web sites of three unnamed companies with Department of Defense contracts. His textual analysis used 14 criteria for evaluating the disclosure of sensitive information. The top 3 criteria that occurred widely in the sample were:

* Disclosure of a security-clearance or U.S.-citizenship requirement.

* Requirement for a technical degree.

* Identification of the corporate team or division completing the particular project for which additional employees are required.

The author recommended that organizations:

* Raise manager awareness of the security implications of job listings.

* Have departmental managers review ads for postings in their sectors.

* Omit the specific name or the department of the prospective employer.

I think it is appropriate for security and network managers to examine the job listings on your own Web sites to see if there’s perhaps a bit too much information being given to anyone who wants it. Is it necessary, to take but one example, to specify the precise network operating system and its revision in the advertisement? Do you need to specify the number of nodes, the types of processors, the network protocols, the kinds of routers and the types of gateways in your network?

Yes, the information provides a basis for refining the stream of candidates. Yes, security through obscurity cannot compensate for bad technical security or even for poor security awareness, training and education.

On the other hand, this amount of detail makes it easy for criminals to engage in social engineering by sounding as if they are already insiders when they call vulnerable staff to winkle out interesting bits of information such as account passwords. For example, seeing how an organization defines its e-mail addresses (such as: first_initial CONCATENATE last_name"@org_name.domain") makes it easy to guess logon IDs, which is a step towards getting the password by claiming to have forgotten it.

For the same reason -- making social engineering more difficult -- a second category of information that might prudently be kept for later stages in the job interview funnel is the names, titles, phone numbers and faxes for high-ranking managers in the company who will be involved in interviews and candidate selection. In addition, the amount of detail in the "About Us" section of the corporate Web site should be reviewed for its security implications.

» posted by ITworld staff

Network World

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine