ForHacSec

In today’s employment environment everyone is fighting to be the best and stand out from the crowd when it comes to getting that next career break no matter how big or small. Maybe it’s a voluntary move with no pressure from where you are currently and you’re able to browse the market to find the shoe that fits and make it work best for you when it comes to flexibility, location and ‘perks of the job’. Or you mite be one of the many folk who are in the unfortunate position of having to jump from a sinking ship either voluntarily or with a little nudge.

In this environment it seems to becoming an ever popular choice to not only apply for new jobs, contact recruiters in the chosen fields and to keep in touch with old friends elsewhere within industry but to also keep the CV equivalent of Facebook up to date. LinkedIn.

LinkedIn is a great tool to offer the professional ‘you’ to business acquaintances and enable you to keep that professional distance with clients, colleagues as well as past, present and hopefully future employers.

In the cut throat world of job hunting and recruitment are we becoming too at ease with the information we divulge when it comes to our skills and  experience on our online ‘CV’s’?

It may be one thing to detail experience of for example supporting/implementing/configuring/managing whatever you want to call it for an IPS or IDS but is it really necessary to detail how many devices their are in your current employers organisation, the firmware versions on the devices which you support and other technical details which may aide both a compromise on a system or a footprint being built by a third party in an attempt to assist in an organisational takeover or in a third party gaining specific relevant information when putting forward for a tender or bid for outsourcing?

By having employees publicly advertise things such as –

• Number of end users within your organisation
• Size of your infrastructure or server environment
• Amount of remote sites supported
• Clients of the organisation
• Infrastructure life-cycle
• Hardware & software assets
• Current and future planned projects
• Patches and fixes applied
• Internal and external facing network and infrastructure configurations
• Server farm and data centre sizes and locations
• In-house applications published and supported
• End-point hardware solutions and manufactures
• End-point security applications and version numbers
• Disaster recovery practices, processes and methodologies
• Infrastructure hardware manufactures, models and firmware versions

Can all aide in friends and foe having information which they mite not have unless they’re a ‘trusted authorised employee’ or an external contractor or consultant who has signed the relevant None Disclouse Agreement or Trusted Third Party Agreement.

Yes many organisations run the likes of ‘Microsoft Windows Server 2008′. That can be anticipated. However by going into details such as the above aforementioned list can give a third party just that bit more information they wouldn’t have had any other way which could aide them to tailor their approach (Attacker or business proposition) that bit further which may turn things in their favour and provide them with an unfair competitive advantage either against you, your organisation or there own competitors in their own markets.

Likewise an employee detailing they provide implementation and support for IPS, IDS and Cisco ASA is pretty harmless, however as soon as one goes into great detail stating how many of each manufactures’ devices they support, stating which firmware and software version and perhaps even update revisions (Given that not every organisation has a prompt and responsive patching and security fix policy) this can provide that extra nugget of detail for someone carrying out thorough foot printing analysis of an organisations vulnerabilities.

It’s one thing detailing it an application form to a human resources department or recruiter or even using it as an example to an interview panel. However it’s another thing entirely detailing a bullet pointed list of your organisations intellectual property, strengths and vulnerabilities on what essentially is a professional social networking site.

If someone is advertising their existing employers assets to make that next career step surely they’ll do the same when they feel they need to take another step in the future from and to another organisation.

Everyone wants to be better and get that career break in life and prove themselves. However being that bit vague can often work in someone’s favour making a recruiter or potential future employer more intrigued and wanting to explore your skills and experience face to face at interview at which point you can really sell yourself displaying your personality and that vital face-to-face positive first impression.