Cassandra Security

Analysis of the security industry, and all that it influences.

• Home
• About Us
• Events
• Research
• Papers
• Podcasts
• RSS

On a lark I decided to look at some security job postings, no not to look for a job but rather to look at what type of information is included in those postings.  I had something hit me today that organizations looking to hire security professionals tend to place quite a bit of information in their job postings that could lead one to deduce what type of security applications, controls and countermeasures they have in place.  When I was in the Air Force we called this Essential Elements of Friendly Information or EEFIs.

EEFIs themselves weren’t classified information, but with enough minor detail from multiple communications or, in this case, multiple web postings an adversary could determine some mission critical information.

Back to point, is it necessary to post specific information such as the below examples in job postings?

“Specific technical skill sets include: Anti-Virus (Symantec), Network Monitoring (Security, SecurFusion), IDS (SNORT, ISS), Vulnerability Assessment (Nessus, NMAP).”

Another posted required technical knowledge with Cisco PIX and TippingPoint IPS.

Yet another, for a public utility, requested knowledge with Firewall-1

These are just three examples that I found doing a quick search, I’m sure there are plenty more.

I realize that many of these are posted by staffing agencies so that it’s a bit difficult to pin point the specific company, but still is specific security technology too much to post in a job listing?  I realize that, as a hiring employer, you don’t want to get inundated with resumes but on the other hand, as a potential attacker could this information be useful to me?

Comments

• Categories

  • Advanced Persistent Threats (APT)
  • Assessment
  • Audit
  • Backdoors
  • Bot Nets
  • Cloud Computing
  • compliance
  • Crime and Punishment
  • critical infrastructure
  • Cyber Crime
  • Cyber Defense
  • Cyber Fraud
  • Cyber Terrorism
  • Cyber Warfare
  • Information Security Philosophy
  • Malicious Code
  • Malicious Content
  • Next Generation Threats
  • Patterns & Profiles and Threat Vectors
  • PCI-DSS
  • Risk
  • risk management
  • Rootkits
  • SaaS
  • Security Philosophy
  • Subversive Multi-Vector Threats (SMTs)
  • Terrorism
  • threat
  • Threat Modeling
  • Trojans
  • Uncategorized
  • Vulnerabilities & Threat Research
  • Whitehat
  • Whitepapers

• Archives

  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009

• Blogroll

  • Arbor Networks Blog
  • CSI Provoked
  • Dancho Danchev
  • Fudsec - Showcasing Fear, Uncertainty and Doubt from the Information Security Industry
  • Gunter Ollmann's Blog
  • Harlan Carvey's Windows IR Blog
  • IANS Perspective
  • Joanna Rutkowska of Invisible Things Labs
  • Nelson Brito (no português)
  • Our Twitter
  • Palantir - Palantir Technologies
  • SANS Internet Storm Center
  • Schneier on Security
  • Security Fix
  • Security Incite
  • TaoSecurity
  • The Art of Software Assessment - Mark Dowd, John McDonald, Justin Schuh
  • The Threat Post - Kaspersky Lab Services
  • the451group

• Admin

  • Register
  • Log in
  • WordPress
  • XHTML