Attackers Love Your Organization's HR Department

Sunday, June 19, 2011

Boris Sverdlik


With all the available talent on the market, companies use every available resource in their recruiting practices.

They hire third party recruiters, post job listings on LinkedIn, Dice, Monster and numerous other places. While this will bring in a plethora of qualified candidates, this practice also provides attackers a wealth of information in their reconnaissance efforts.

This leads back to the piece I wrote on Data loss protection, that surmised discusses caveats that DLP solutions do not address.

The typical job posting today, specifically for security positions include almost every single technology that your organization has in use. A dedicated attacker will typically have premium level accounts every major job board for this very purpose. 

I say dedicated because attackers don’t typically run “scripts” blindly against their targets without enough knowledge beforehand. While I won’t be discussing criminal attack methodologies, they are similar to the methodologies we use as penetration testers.

An attack consists of several steps, with reconnaissance being the absolute first. You want to use every available resource to gather as much information about your target, prior to sending a packet or attempting to walk in. 

I recently posted a job description that had been sent to me by a 3rd party recruiter.  Although I haven’t looked for this position, I’m fairly certain it’s posted in multiple places with the companies’ name. 

Let’s go through and look at why this information would be valuable to an attacker:

  • Vulnerability Scanning (Qualys): Interesting, we know what they use for vulnerability scanning. We can easily research any known shortcomings of the product and compile a good list of vulnerabilities, which the product doesn’t discover
  • Data Leakage Prevention (Symantec): Nothing much here as out of the box there are tons of policies which might be in use. Note for later, as we might be able to gather more
  • Log Management (Log Logic, Snare): Wait, they are using Snare, presumably for their windows servers. Great TCP/6161 default listener, potential target
  • Antivirus (MacAfee): Nothing much here from this description, save for later. (Notice Spelling, someone used spellcheck. Lol)
  • End-point security (MacAfee HIPS): Ok, AV/HIPS both McAffee. Note for later, possibly unified client. Something to consider for your directed social engineering attacks
  • Web Proxy/Content Filtering (Bluecoat, Web sense): I just felt a slight tingle. We know what they are using for the web access proxy. Maybe, they have some reverse proxies we can target later.  Wait, we know what they are using for content filtering. Lets make sure to check any funny URLS we send against the “known bad list”. Obviously most organizations customize the filters, but the standard Hacking, Porn, Malware, Gambling and such are a standard for blockage
  • Network Access Control (Cisco, McAfee, 802.1 xs): Ok so more than likely I’m (hopefully) not going to be able to plug in within a shared area. I’ll still try...
  • Active Directory: Standard, but we do know that older versions of BlueCoat don’t handle LDAPS real well. Maybe we can grab some credentials over the wire. Ok.
  • PKI, Radius: Not sure why they are clumped together, but we’ll look at it later
  • RSA SecureID: I’m hoping I don’t have to say anything here
  • Strong experience in Windows and *nix environments (Windows XP, 7, 2003, 2008, Solaris, SUSE Linux Enterprise Server, AIX): Too general to mean much. Note for later
  • Familiarity with most major TCP/IP application protocols (DNS, DHCP, SMTP, HTTP, BGP, LDAP, IMAP, SSH, FTP, KRB5, DHCP, CIFS): Hmm… BGP, possibly two ISPs and 2 points of attack.  FTP? Really.. Cool.. Come on Bounce with me (If you don't get the joke don't ask).

Are you having fun yet? What do you mean your not? Ok, I’ll let you in on why this information is a valuable resource. You have listed this job spec for a reason; you have a spot to fill.

How did that spot come to be? Did your neglected security guy just walk out on you? He must of, or your job spec wouldn’t of had so much wonderful info in it. How do you think he found his new job? Maybe he posted his resume on the same job board? Maybe he didn’t, he might of used another one. Remember, a dedicated attacker will use multiple sources.

Obviously for purposes of this article, I’m not going to include the company name but a quick search through a major job board, was able to provide more details on the key requirements listed above. Isn’t this fun?

Outside of the scope of this article as this is not a how-to (there are enough how-to guides to recon already available) is another fun fact. IT guys love to ask questions on forums, and most of the time use their company e-mail address. Get where I’m going? A DLP solution off the shelf will not prevent this, nor is it expected to as part of the normal business requirements.

This information might not be as sensitive as IP, PII or M&A data, but it should still be handled with due diligence. A job posting should be as generic as possible, when it comes to technologies in use.

Use third party recruiters who require NDAs prior to releasing the name of the organization. Have your information security officer review contracts with recruiters and job boards. This will not by any means stop a dedicated attacker from gathering the information he or she needs. It will however make it slightly more difficult.

Cross-posted from Jaded Security

Possibly Related Articles:
Information Security
Social Engineering Data Loss Prevention Attacks Intelligence Human Resources Reconnaissance
Post Rating I Like this!
Allan Pratt, MBA As someone who works for one of the most respected vulnerability management companies, I wholeheartedly agree with your post, Boris, and this could be a way to get new customers.
Teresa Hessler Great article Boris! I'm sharing this on LinkedIn.
Anup Shetty good stuff.. have seen posts that put out expertise required in specific version of the product.
Boris Sverdlik Thank you all for reading.. Teresa, I'm actually working on a piece regarding Linkedin.. stay tuned..
JT Edwards Dude you so lifted that job post off the TechExams forums LOL

"This will not by any means stop a dedicated attacker from gathering the information he or she needs. It will however make it slightly more difficult."

So is it worth the hassle of wading though all the trash resumes you will get just to make an attackers job "slightly more difficult"? I agree that less information is probably better. But "job posting should be as generic as possible" will still mean you list technologies in use or your resume pool gets unmanageable.

The point this article does raise is that layer 8 is what is going to kick the butt of most companies going forward! Social engineering is the hardest threat to counter and is the one threat hiring a security company or buying a new widget wont fix. It is a cultural issues (corporate culture). An outside security firm can point it out but they are not going to be able to fix it!
Boris Sverdlik I mean not listing it, will probably make the attackers job more difficult. Or at least use an intermediary. All resumes are trash anyway right ;) at least a majority. You can easily put up a req, without attaching your name to it.
Rod MacPherson This is something I've been very wary of lately with so many people sharing so much info on sites like LinkedIn.

I look forward to your LinkedIn article Boris.

BTW, for those who are wondering why I say that and yet have so much info in my own LinkedIn profile... while I have not lied about any of my qualifications there are certs I have for technologies I don't use at all at my regular job. Sometimes it pays to be genuinely interested in technology, and not seeking courses and certifications just to further your career with your current employer. :) Hell, one of the certifications I have listed I have the paper for but no clue what I did to earn it. As far as I can tell, the vendor just sent it to me.

I did use LinkedIn to dig a little into one security team's background and, I think, took them quite by surprise when I asked in an interview why several of them had moved from California to Texas recently. I hope I didn't spook them too badly.
JT Edwards And I just thought my resume was trash!

I guess the issue is these measures help prevent you from being a target of opportunity. They may make an attacker’s job harder, but if you have been singled out as a target it is a moot point.

I look forward to your Linkedin article. One point I have been wondering about is former employees. I list company X on my profile or resume and state that I worked with technology Y or implemented Z. I have provided similar information as the HR department just did for the job opening (maybe the job I just left). I wonder legally how far you can go with an NDA to prevent some of that. Totally different ball game if you work in the classified world, so just pondering this from a corporate standpoint.
Terry Perkins I, too, look forward to the LinkedIn article.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.