Don’t Give the Game Away

22 November 2017

Another week gone by; another cyber attack announced.

With the inevitable focus on security appliances and solutions in the aftermath of such a breach, the less technical considerations often get ignored. Seemingly benign day-to-day company actions, often unintentionally provide significant detail about the company’s security and highlight potential weaknesses to adversaries.  

A good example of this are company’s job advertisements. These offer many insights on internal technologies used, as well as security gaps.

So a job advertisement for a cyber security leader that lingers around for months online, is an inadvertent notice that an organisation’s security capabilities have been vulnerable for a period of time. Likewise, an advertisement seeking an expert in a specific technology, is an inadvertent notice that an attack involving this technology may well be successful

While sometimes unavoidable, families, businesses and those that lead them need to take a greater interest in not only the recruitment challenges facing a family or business, but also how this is being highlighted in the public domain. The following three steps will go some way to address this.

  1. Ensure advertisements are vetted for unnecessary disclosure of internal information. Understand where a job advertisement will be displayed and what it would tell the public about the internal state of company.
  2. Ensure there is an internal social media guide in place for employees when promoting job openings, involving sensitive roles. A cyber security job role shared by an employee in a Twitter or Facebook post may just be the detail an adversary needs to carry out a social engineering attack with added legitimacy.
  3. Ensure that appropriate vetting is in place prior to interviewing a candidate on site. Additionally, ensure detailed company knowledge is not shared before a level of trust is built. Competitors or adversaries may just use such a job opening as a way of probing for more information.  

Ultimately, detailed investigation of the public domain and collection of tidbits which will aid a targeted cyber attack, is the hallmark of a capable cyber-criminal. Crippling and obstructing that effort, is likely to discourage the attacker from continuing to target you. 

About the Author

Shlomie Liberow

Consultant, Cyber

Shlomie helps clients react rapidly to cyber threats by developing speedy technical solutions to help defend reputation and protect privacy.

646 934 6219