Saturday, December 15, 2007

The Employment Vulnerability, part 2

We all know TJX was irresponsible with customer data, but what can we determine through the Employment Vulnerability?  I got a call from a headhunter in mid-2006, the call was the beginning of an interesting story.

In mid-2006 a recruiter called and asked if I would be interested in a position as a Security Analyst; intrigued, I asked for details. After an exchange of emails, the recruiter told me that the position was with TJX, they were forming an information security team. That's right, over a year and a half ago TJX was starting to think about forming a team dedicated to information security. Then, as is often the case with recruiters, nothing- no more emails or phone calls. I shrugged and went on with life. 

I was a bit surprised when the same recruiter called me early this year and asked if I was still be interested in the position we had discussed last year. The recruiter said TJX had dropped the search last summer, but were suddenly renewing the Security Operations Center project in earnest and wanted to place people quickly. More out of curiosity than a desire to join TJX, I agreed to a phone interview a few days later.  Just minutes before the scheduled interview, I received a call from the recruiter who apologetically asked if we could reschedule the phone interview for later in the week because something was going on at TJX and they couldn't do the interview that afternoon.  Moments later, my newsgroups and email newsletters were telling the tale of the TJX data breach.

We did reschedule the phone interview, it went well- but nothing came of it.  The manager who conducted the interview was understandably reluctant to provide details about the internal situation, but it sure sounded like he had spent the week screaming "I told you so".  Maybe that was just my imagination, but I did sense more than a little frustration with senior management in his comments during the interview.  TJX outsourced all of their incident response and did not assemble an in-house security team.  Still curious about TJX's handling of the fiasco, I went to the TJX careers site and found several positions listed.  Their "job codes" consist of the two-digit year and a sequential listing number, and there were a handful of 06-low number listings for IT and Information Security positions- confirmation that the positions had been unfilled for almost a year. 

This fall TJX finally resumed the quest, they are seeking an IT Security Architecture Manager.  Bill Brenner wrote about this in the Security Bytes blog back in October and the position is still open.  Part of the job description includes:

"Responsible for developing and documenting a comprehensive information security architecture"

Developing a security architecture?  What a great idea!  It seems a bit late to roll out that idea, but maybe they don't want to rush into things.  I can't imagine why this position remains unfilled.  I wonder if TJX is still dragging their feet, or if they can't get any qualified takers.  Either one seems likely.

Back to the "employment vulnerability", I learned that TJX knew they needed to do something about security, but weren't concerned enough to do anything until it was too late- and even then they didn't build a team.  I also learned that upper management wasn't listening to their own employees about the problem.  We also know that they are advertising for a key position, but haven't found anyone in months.  And that some of the tasks which will fall on the shoulders of the new manager should have been done years ago.  While this doesn't compare to the data breach that got (and keeps) TJX in the news, it is another form of data leakage which doesn't look good for the company.



The Employment Vulnerability

Here's a dirty little secret: There are few areas where security and privacy are intentionally compromised more than in the recruiting and hiring process.

You've probably seen it yourself, job seekers give up personal information they wouldn't imagine sharing publicly- but no one really knows what safeguards a prospective employer has in place. Will those resumes and applications (and maybe background and credit checks) end up unshredded in a dumpster someday? Job seekers don't dare call employers on issues, because they want a job. A "security" company uses ChoicePoint for background screening; candidates submit to this because they want the position, but it taints their opinion of the company forever- and may compromise their confidential information.

The employers are not any better, they lower their shields and leak information profusely during the process.

Think about what you might see when you go for an interview:
  • The type and installation of physical locks and barriers.
  • Hmm, the card readers are screwed to the door with standard screws, not tamper proof ones.
  • The presence of guards, greeters and cameras- and their blind spots.
  • Does everyone have ID? Do guests (applicants)? Does anyone check them?
  • Are there public spaces?
  • Brands and models of computer and network hardware in use, probably some of the software, too.
  • Presence of wireless networks.
    • Are those "enterprise" Linksys WRT54Gs!?
    • Did I leave Kismet running on my PDA?
  • Doors propped open for the "smoker's lounge" (back door).
  • Did the recruiter really just hit enter to wake up his machine?
    • No passwords on a machine accessing candidate data?
  • And much more...

Then the interview starts and you are grilled on specific knowledge and general attitudes. Those aren't just random questions, they are specific answers, too. Those questions are answers about their systems, infrastructure, and policies. They won't ask about your knowledge of NT 4.0 unless they are still using it.

From the employer's perspective, when you interview someone you know that you have to expose at least a few details about:

  • Internal systems and network architecture.
  • Products, versions and systems in use.
  • Staffing levels, workloads and distribution of duties.
  • Hours of operation and coverage

Even advertisements give away information; "experience with Oracle mandatory" or "CCNP or CCIE preferred" could give someone a pretty good idea what plugins to load in their arsenal of attack (er, testing) tools.

Don't look down here for any real answers to the issues mentioned above, they are largely unavoidable. Improved awareness is probably the best way to address the Employment Vulnerability. Employers can be a little more careful vetting candidates before revealing too many sensitive details, and candidates can limit the amount of information they post publicly on job boards and other public forums- but to get the right person in the right position, information has to flow candidly.


Monday, December 3, 2007


OK, so I've been more lax than usual in my blogging- I've been a bit preoccupied. I am leaving my employer of 22 years, 4 months and 4 days (not that I'm counting) and starting in a new position shortly. I will be joining Astaro Corporation later this month as an Support Engineer.

As much as I will miss my friends at my current job, I am really looking forward to joining the team at Astaro.