Saturday, December 15, 2007

The Employment Vulnerability

Here's a dirty little secret: There are few areas where security and privacy are intentionally compromised more than in the recruiting and hiring process.

You've probably seen it yourself, job seekers give up personal information they wouldn't imagine sharing publicly- but no one really knows what safeguards a prospective employer has in place. Will those resumes and applications (and maybe background and credit checks) end up unshredded in a dumpster someday? Job seekers don't dare call employers on issues, because they want a job. A "security" company uses ChoicePoint for background screening; candidates submit to this because they want the position, but it taints their opinion of the company forever- and may compromise their confidential information.

The employers are not any better, they lower their shields and leak information profusely during the process.

Think about what you might see when you go for an interview:
  • The type and installation of physical locks and barriers.
  • Hmm, the card readers are screwed to the door with standard screws, not tamper proof ones.
  • The presence of guards, greeters and cameras- and their blind spots.
  • Does everyone have ID? Do guests (applicants)? Does anyone check them?
  • Are there public spaces?
  • Brands and models of computer and network hardware in use, probably some of the software, too.
  • Presence of wireless networks.
    • Are those "enterprise" Linksys WRT54Gs!?
    • Did I leave Kismet running on my PDA?
  • Doors propped open for the "smoker's lounge" (back door).
  • Did the recruiter really just hit enter to wake up his machine?
    • No passwords on a machine accessing candidate data?
  • And much more...

Then the interview starts and you are grilled on specific knowledge and general attitudes. Those aren't just random questions, they are specific answers, too. Those questions are answers about their systems, infrastructure, and policies. They won't ask about your knowledge of NT 4.0 unless they are still using it.

From the employer's perspective, when you interview someone you know that you have to expose at least a few details about:

  • Internal systems and network architecture.
  • Products, versions and systems in use.
  • Staffing levels, workloads and distribution of duties.
  • Hours of operation and coverage

Even advertisements give away information; "experience with Oracle mandatory" or "CCNP or CCIE preferred" could give someone a pretty good idea what plugins to load in their arsenal of attack (er, testing) tools.

Don't look down here for any real answers to the issues mentioned above, they are largely unavoidable. Improved awareness is probably the best way to address the Employment Vulnerability. Employers can be a little more careful vetting candidates before revealing too many sensitive details, and candidates can limit the amount of information they post publicly on job boards and other public forums- but to get the right person in the right position, information has to flow candidly.