Don’t Give the Game Away
22 November 2017
Another week gone by; another cyber attack announced.
With the inevitable focus on security appliances and solutions in the aftermath of such a breach, the less technical considerations often get ignored. Seemingly benign day-to-day company actions, often unintentionally provide significant detail about the company’s security and highlight potential weaknesses to adversaries.
A good example of this are company’s job advertisements. These offer many insights on internal technologies used, as well as security gaps.
So a job advertisement for a cyber security leader that lingers around for months online, is an inadvertent notice that an organisation’s security capabilities have been vulnerable for a period of time. Likewise, an advertisement seeking an expert in a specific technology, is an inadvertent notice that an attack involving this technology may well be successful
While sometimes unavoidable, families, businesses and those that lead them need to take a greater interest in not only the recruitment challenges facing a family or business, but also how this is being highlighted in the public domain. The following three steps will go some way to address this.
- Ensure advertisements are vetted for unnecessary disclosure of internal information. Understand where a job advertisement will be displayed and what it would tell the public about the internal state of company.
- Ensure there is an internal social media guide in place for employees when promoting job openings, involving sensitive roles. A cyber security job role shared by an employee in a Twitter or Facebook post may just be the detail an adversary needs to carry out a social engineering attack with added legitimacy.
- Ensure that appropriate vetting is in place prior to interviewing a candidate on site. Additionally, ensure detailed company knowledge is not shared before a level of trust is built. Competitors or adversaries may just use such a job opening as a way of probing for more information.
Ultimately, detailed investigation of the public domain and collection of tidbits which will aid a targeted cyber attack, is the hallmark of a capable cyber-criminal. Crippling and obstructing that effort, is likely to discourage the attacker from continuing to target you.