02.23.08
Job Ad mentions Cisco Routers…. OH NO!
Brian Krebs has an interesting article up over on SecurityFix. Entitled, "How Not to Write a 'Geek Wanted' Ad", it discusses companies that identify the hardware / software running within their infrastructure and how this is a bad idea. Now before I disagree entirely with the article, I do want to preface it by saying that I'm a huge fan of SecurityFix and the majority of the articles that Brian writes.
My issue with Brian's posture is that, I think, it's going a step to far. How to we decide what is and isn't useful information to a ‘malicious individual'? Let's think of some of the other things that we could withhold. How about contact information? These could be used for a unique social engineering attempt or even just run of the mill spam/phishing. The same reason could apply to withholding the HR contacts name or even the company name. You do see some job postings with this information missing, just as you see some job postings with job related equipment missing.
Now in the example that Brian mentioned a few things were mentioned: Cisco PIX, Cisco IOS, Norton and McAfee AV, Network Associates packet sniffer. In the end does it matter if an attacker is aware of these? Not really... there are fingerprinting tools available, nmap is a great example, which will attempt to identify what OS is running on a device. A Cisco router or PIX will be easily identified. The AV doesn't matter... not in the long run... the odds of it being exposed outside of the corporate network are minimal meaning outside attackers aren't going to reach it, and someone who's already inside will know what they are looking at. The exception there would be email AV, however they've listed the two most common AV engines available... the odds are pretty good that the company is using one of those anyways. Lastly, the packet sniffer... who cares? It's not going to be running all the time, only to diagnose problems... and if you have access to it, again you probably already have access to the internal network.
If there is any benefit to an attacker from this information... I'd say that it's pretty minimal... definitely less than a 1% increase to the chance of a successful attack occurring. Companies have identified for years that sys admins require experience with Windows, Linux or OS X (depending on the environment), so why is this any different?
Now let's look at the benefit to the company... The hiring process is expensive... that's why hiring agencies, head hunters and websites like NotchUp exist. Providing as many details as possible in the initial job ad seems like a smart idea to me. I'm not in HR but it seems logical that if I post my requirements, fewer people that don't have the requirements will apply. Let's take Mr. X, for example, and say he was looking at the job mentioned at SecurityFix. Mr. X was previously a Windows Network Administrator and had Nortel Routers... he's never performed packet captures and they had Trend Micro... immediately he knows that he's got the right generic skill set (if they had said routers and AV he may have already been sending his resume)... but he realizes he needs to improve his skills in a few areas before applying. This saves both Mr. X and the company's HR department time and, at least in the company's case, money.
I think that today we're too afraid that every little bit of information gives a malicious individual an edge. We have to remember that the edge it gives them needs to be significant before it really starts to matter. Disclosing some information related to your internal infrastructure in a job posting isn't the end of the world... in the grand scheme of things it's so minimal that it's basically nothing. Brian, while you usually write some great stuff... this time you missed the net by quite a bit.
