Note: This is for educational purposes only. Please do not attempt any harm to anyone.
So last week we talked about job posting scams from a job search point of view and what tactics they have to be careful with. Now, this week I will talk about it from a different perspective.
Employers need to be careful of attackers as well when posting jobs and doing interviews. What may an attacker do with job postings and at an interview? Well, it contains valuable information and sometimes may feel like a gold mine for potential attackers. (Won’t list the employer and location.)
Below is a screenshot of a job listing with info which is fine. However, it should not or have the need to list certain brands, models, and versions of hardware/software specs.
Why should it not have certain specifications and be as broad as it may be? Here are some pointers.
- Job postings are usually listed for a month or longer. With the time available. It is basically giving free information to any potential attackers.
- When listing models. You are telling potential attackers what to look for. One can easily search online to see if your series are up to date or if support is still available. They can easily exploit your system if given the chance to interview.
- Not on the screenshot but it showed that the company also uses windows 7 os. Should be as general as possible as one can also easily just search win7 exploits. There may be many since support for win7 has ended in early 2020.
What can you do? Limit information on job postings. Work with HR with a list of verbal questions to ask a potential candidate about the technical background. For example, HR should ask what kind of cisco products have you managed? If the candidate lists several of the models from the list given to HR on their resume and on a phone interview. Then the candidate should be passed on.
Why should corporations be careful with interviewees? What can an attacker do with the information?
- Combined with the job posting intelligence and potential experience with pen-testing. They can try to crack your network by surveying if your wifi is secure before entering the org.
- If they were selected as a potential candidate to interview. Physical controls are needed as written last week. They should only go to places where they should need to be. Don’t have access to any place else. Security should direct location so they don’t wander around.
- Interview room connections should have their networks separated or secured. The threat could easily plug something in when unsupervised (ex waiting for interviewers).
As a security analyst, I would recommend that they remove all the models, series, and brands. Generalizing as much information as possible. A location such as address should be omitted the only city, and state will be needed. This will slightly harder even if it's only by a fraction of the percentage for social engineers. Have a list of hardware, brand, and model specifications for the human resources so they can judge from phone interviews and resumes. These recommendations won’t remove all vulnerabilities but should reduce surface areas of attacks.
