Job listings and security
There are many thousands of companies and government agencies that advertise job openings on their Web sites. To get a sense of the number of references to jobs, try a simple request for "jobs" on the Google search engine -- it reports over 18 million results. A search for "computer security jobs" produces over 926,000 results.
Could your own organization’s security be threatened by excessive detail in your own job listings on the Web? According to Jay Krasnow, your Web site could be providing a bit too much information for your own good.
Krasnow reported on the master’s thesis he wrote in the Communications, Culture and Technology Program at Georgetown University concerning competitive intelligence (CI) from job listings on the Web. He presented his work in the student-paper session at the 23rd National Information Systems Security Conference organized by the National Institute of Standards and Technology and the National Computer Security Center of the National Security Agency. Krasnow won an award for best student paper for his presentation. ("The competitive intelligence and national security threat from Website job listings". Proceedings of the 23rd National Information Systems Security Conference: 433.)
His literature search found many reports on CI -- which reach back several thousand years -- and some on CI from job listings, some on CI from the Web, but little on CI from Web-based job listings. He collected about 300 job listings during a one-week period from the Web sites of three unnamed companies with Department of Defense contracts. His textual analysis used 14 criteria for evaluating the disclosure of sensitive information. The top 3 criteria that occurred widely in the sample were:
* Disclosure of a security-clearance or U.S.-citizenship requirement.
* Requirement for a technical degree.
* Identification of the corporate team or division completing the particular project for which additional employees are required.
The author recommended that organizations:
* Raise manager awareness of the security implications of job listings.
* Have departmental managers review ads for postings in their sectors.
* Omit the specific name or the department of the prospective employer.
I think it is appropriate for security and network managers to examine the job listings on your own Web sites to see if there’s perhaps a bit too much information being given to anyone who wants it. Is it necessary, to take but one example, to specify the precise network operating system and its revision in the advertisement? Do you need to specify the number of nodes, the types of processors, the network protocols, the kinds of routers and the types of gateways in your network?
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
