How Not To Write a 'Geek Wanted' Ad
When you're trying to hire a computer security professional to manage the network for one of the nation's largest counties, it's probably not the best idea to advertise to the world the precise digital defenses you have in place to protect the region's virtual castle.
Take, for instance, the following ad posted to business networking site LinkedIn. The hiring employer in this case is Riverside County, Calif., which claims to be the 16th largest county in the U.S. They're looking for a new chief information security officer (CISO). Here are their requirements, verbatim:
"Must have experience with firewalls (PIX/Border Manager), anti-virus (McAfee/Norton), Intrusion Detection/Intrusion Prevention Systems (IDS/IPS), virtual private networks (VPN), remote access systems (RAS), public key infrastructure (PKI), encryption (3DES), digital certificates (Versign, Entrust), routers (CISCO IOS), sniffers (Network Associates), distributed denial of service attacks (DDOS), biometrics, DMZ/Transaction Zones, business continuity planning, auditing, HIPAA and related regulatory compliance requirements, risk management, contract and vendor negotiation, and physical security. Must possess and maintain current certification as a Certified Information Systems Security Professional (CISSP) within guidelines established by (ISC)Â². Certification as a TruSecure ICSA Certified Security Associate (TISCA) is desired. Having worked in a decentralized organization would be a plus."
Wheh! That's quite a list. But wait a second. It is hardly a stretch to imagine that cyber crooks also mine data from LinkedIn on a regular basis. After all, what do thieves do before breaking into a place? Just like professional burglars, they case the joint for a while to get the lay of the land before making their attack.
So, what do we know about Riverside County's IT security landscape? Well, for starters we know the area is guarded on the perimeter by PIX BroderManager firewall products; that its networks are managed by Cisco routers (what, no version number?); that the county uses both Norton and McAfee anti-virus (and probably data backup) products. We also know the county runs network packet sniffers made by Network Associates.
All of these software and hardware products have their own share of security vulnerabilities, many of which can be enumerated and exploited remotely to gain trusted access to a vulnerable network. And without a CISO around, maybe things aren't getting patched as quickly as they would otherwise. This ad could have been just as effective by leaving out the names of the vendors responsible for producing the hardware and software.
For example, consider this LinkedIn ad posted by Harvard University, which is apparently now on the prowl for a new Director of Information Security.
Still, even merely acknowledging that a business has critical IT security leadership vacancies carries a risk. For example, it's impossible to know, of course, whether attackers took notice of this lack of leadership at the prestigious Ivy League school, when hackers posted on BitTorrent a number of non-public files stolen from Web servers at one of Harvard's graduate schools.
February 22, 2008; 2:15 PM ET
Categories: From the Bunker
Save & Share: Previous: Wall Street Reports Increase In PC Intrusions In '07
Next: Hackers Exploiting Facebook, MySpace Plug-ins
Posted by: N | February 22, 2008 3:31 PM | Report abuse
Posted by: LonerVamp | February 22, 2008 3:49 PM | Report abuse
Posted by: D3 | February 22, 2008 4:51 PM | Report abuse
Posted by: Setec Astronomy | February 22, 2008 5:03 PM | Report abuse
Posted by: GTexas | February 22, 2008 5:14 PM | Report abuse
Posted by: GTexas | February 22, 2008 5:27 PM | Report abuse
Posted by: Jason Gamby | February 23, 2008 12:06 PM | Report abuse
Posted by: Adam | February 23, 2008 8:06 PM | Report abuse
Posted by: TJ | February 25, 2008 8:36 AM | Report abuse
Posted by: SMR | February 26, 2008 11:46 AM | Report abuse
Posted by: Rick | February 27, 2008 8:27 AM | Report abuse
Posted by: Daniel | February 29, 2008 4:53 PM | Report abuse
Posted by: Dan | March 3, 2008 9:48 PM | Report abuse
The comments to this entry are closed.