Network News

X My Profile
View More Activity

How Not To Write a 'Geek Wanted' Ad

When you're trying to hire a computer security professional to manage the network for one of the nation's largest counties, it's probably not the best idea to advertise to the world the precise digital defenses you have in place to protect the region's virtual castle.

Take, for instance, the following ad posted to business networking site LinkedIn. The hiring employer in this case is Riverside County, Calif., which claims to be the 16th largest county in the U.S. They're looking for a new chief information security officer (CISO). Here are their requirements, verbatim:

"Must have experience with firewalls (PIX/Border Manager), anti-virus (McAfee/Norton), Intrusion Detection/Intrusion Prevention Systems (IDS/IPS), virtual private networks (VPN), remote access systems (RAS), public key infrastructure (PKI), encryption (3DES), digital certificates (Versign, Entrust), routers (CISCO IOS), sniffers (Network Associates), distributed denial of service attacks (DDOS), biometrics, DMZ/Transaction Zones, business continuity planning, auditing, HIPAA and related regulatory compliance requirements, risk management, contract and vendor negotiation, and physical security. Must possess and maintain current certification as a Certified Information Systems Security Professional (CISSP) within guidelines established by (ISC)². Certification as a TruSecure ICSA Certified Security Associate (TISCA) is desired. Having worked in a decentralized organization would be a plus."

Wheh! That's quite a list. But wait a second. It is hardly a stretch to imagine that cyber crooks also mine data from LinkedIn on a regular basis. After all, what do thieves do before breaking into a place? Just like professional burglars, they case the joint for a while to get the lay of the land before making their attack.

So, what do we know about Riverside County's IT security landscape? Well, for starters we know the area is guarded on the perimeter by PIX BroderManager firewall products; that its networks are managed by Cisco routers (what, no version number?); that the county uses both Norton and McAfee anti-virus (and probably data backup) products. We also know the county runs network packet sniffers made by Network Associates.

All of these software and hardware products have their own share of security vulnerabilities, many of which can be enumerated and exploited remotely to gain trusted access to a vulnerable network. And without a CISO around, maybe things aren't getting patched as quickly as they would otherwise. This ad could have been just as effective by leaving out the names of the vendors responsible for producing the hardware and software.

For example, consider this LinkedIn ad posted by Harvard University, which is apparently now on the prowl for a new Director of Information Security.

Still, even merely acknowledging that a business has critical IT security leadership vacancies carries a risk. For example, it's impossible to know, of course, whether attackers took notice of this lack of leadership at the prestigious Ivy League school, when hackers posted on BitTorrent a number of non-public files stolen from Web servers at one of Harvard's graduate schools.

By Brian Krebs  |  February 22, 2008; 2:15 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Wall Street Reports Increase In PC Intrusions In '07
Next: Hackers Exploiting Facebook, MySpace Plug-ins

Comments

And Harvard's computer systems are now vulnerable to attack because, of course, it's the Director of Information Security that used to apply patches to Harvard's servers and routers on a daily basis.

Posted by: N | February 22, 2008 3:31 PM | Report abuse

I think we're becoming a bit over-sensitive to what information can be diseminated.

1) Does this disclosure of information really matter, in the end? Most likely not. Did this information give you a better chance to penetrate their network? Most likely not. I think the worst that has happened is someone could try to SE the techs by posing as McAfee/Cisco field reps responding to alerts...blah blah blah.

2) So, should we neuter all IT-related want ads because they expose some of our infrastructure? A developer needed for internal dev work in ColdFusion would mean they use CF servers...a network admin needed who knows Juniper/Cisco devices...a desktop admin who knows...

I think the benefit to the company to properly advertise their job openings will outweigh the minimal risk produced from such activity.

Posted by: LonerVamp | February 22, 2008 3:49 PM | Report abuse

Yawn. Any real attackers out there already assume lots of Cisco gear in place at any given network. A few seconds of port scanning will probably tell an attacker the version number of Cisco they are running.

What you are advocating is just another form of security through obscurity which will get you exactly zero/zilch/nada against a mildly skilled 6 year old with a bad attitude, while making your job posting so vague and uninteresting that no one will apply.

Also, the two postings are also apples:oranges. The Harvard posting reads as an administrative position while the Riverside folks are clearly looking for a hands-on network person who understands security.

Posted by: D3 | February 22, 2008 4:51 PM | Report abuse

At some point, you're going to need to tell the candidate what he needs to do. This same information can be obtained from an interview if it's not detailed in the ad. Interview for position, learn company secrets, don't accept job: there I just accomplished the same thing, only now you're interviewing ten times as many candidates--none of whom are qualified because you didn't tell them what you were looking for--and wasting everyone's time.

As for "advertising" that they use both Norton and McAffee anti-virus software, that's about as risky as revealing that their vending machines take both coins and dollar bills.

Posted by: Setec Astronomy | February 22, 2008 5:03 PM | Report abuse

LonerVamp

another take on a "proper" ad like this one might be "we've got a whole bunch of black boxes with baseplates, here's what they say ..."

They are looking for the pro who already knows what she (or he) needs, provided they pay. The problem with telling that sort of pro too much in the ad is that they might think the company's or municipality's direction beyond hope.

Posted by: GTexas | February 22, 2008 5:14 PM | Report abuse

Oh, and by the way BK. Stop making fun of Geeks or we'll start answering "Righter Wanted" ads ... a little competition would serve you right!

:=)

Posted by: GTexas | February 22, 2008 5:27 PM | Report abuse

Hey haven't you heard of Virtudex.com? It's the best business social network. Invite only so here is the pass code - 1z1code

Posted by: Jason Gamby | February 23, 2008 12:06 PM | Report abuse

I think the Washington Post should stop attributing articles. After all, competitors now know who to call -- or not.

;)

Posted by: Adam | February 23, 2008 8:06 PM | Report abuse

"The problem with telling that sort of pro too much in the ad is that they might think the company's or municipality's direction beyond hope."

Heh, like still using Windows 9x or Novell? Seen those ads. Scary! To me, that indicates the status of their security efforts more so than the type of router, firewall or AV product mentioned!

Posted by: TJ | February 25, 2008 8:36 AM | Report abuse

This is ridiculous...stretching for an article? All the vendors are big players and they are probably in the majority of big organizations.

Let me guess...they probably have Windows workstations too....oooohhhh aaahhhh....

It doesn't matter what they ruin and what version...all it takes is someone to pick up a phone, make a few selected calls...boom - username and password.

Posted by: SMR | February 26, 2008 11:46 AM | Report abuse

Oh this is too funny. Bk: you're on a roll! ;)

Posted by: Rick | February 27, 2008 8:27 AM | Report abuse

This is simply idiotic. Best to not describe the job at all? Best to not even admit what line of business you're in?

The security industry is full of FUDmeisters, and this is a fantastic case in point.

Posted by: Daniel | February 29, 2008 4:53 PM | Report abuse

Probably the worst part about the ad is that they mention using 3DES. We know that DES has some flaws and was replaced by Rijandel / AES in the early 2000's. This especially was a stupid move.

Some of the other items really aren't much of a surprise. It seems that many of the purchases and RFPs would have been part of a public record that could be requested from the clerk.

Certainly, the old adage is true. People are the weakest part of your security.

Posted by: Dan | March 3, 2008 9:48 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company