Michael Piccalo is the Director of OT/ICS Systems Engineering at Forescout Technologies.
There’s a lot of talk in the cybersecurity industry about the jobs threat, meaning the gap in qualified professionals to fill the number of open positions in the industry. But, have you thought about the other jobs threat to consider – the online job postings themselves?
It’s been encouraging to see companies paying more attention to cybersecurity these days. However, what that has translated to is an incredible need for knowledgeable professionals to help implement and manage those new priorities, resulting in more than 4 million unfilled positions across businesses of all sizes and industries, according to a 2019 (ISC)2 study.
A natural starting point for organizations to find that talent is through posting jobs, often on their own websites, where they outline the specific skills and experiences needed to fill gaps in their rosters. Think about the details that typically go into a job description.
Generally, one might find the site (location) of the job, the job requirements, specific control system automation vendors and their software packages, specific Programmable Logic Controllers (PLCs) that need to be maintained along with the communication protocols used, and much more. This information is included to make sure the candidates have the necessary skills to do the job well, but it can also reveal a lot about the specific site and what Operational Technology (OT) is implemented there.
Reconnaissance and social engineering are generally the starting points for a cyberattack. Organizations are often not aware of what sensitive or revealing information is freely available with just a simple search. If there is so much data available from just a simple Google search, imagine what will come up with some slightly more advanced search queries, such as with Google dorking and leveraging the database of Google hacks or Shodan to find those unintentional data leaks.
Lots of information can be gleaned from details in job postings and resumes posted online. This information is especially powerful when combined with additional details from LinkedIn profiles and other social media sites. If an attacker were building out a profile of their intended target, what would they find out about your organization? Don’t underestimate the power of a determined attacker and their social engineering efforts!
In a real-world example, one utility company recently posted a listing for a security specialist needed for implementing nuclear plant digital controls. The job posting outlined seven specific security vendors the specialist would need to be knowledgeable of, presumably the ones used by the plant to protect its systems. In another case, multiple openings at a nuclear facility outlined specific systems requiring cybersecurity protection. These are just two examples found with a quick search of utility cybersecurity jobs in the U.S.
The information available on the web can also be used by attackers to figure out who to target. Taking a quick look at the company website and the leadership team page is a good start. Or maybe visit the company profile on LinkedIn and identify the control systems engineers and what systems they have experience with at the various sites. Or try the network administrators or security engineers and see what firewalls and other solutions they have experience with.
Look at all of the above, as it only really takes that one person clicking a malicious link or opening an attachment in order for the adversary to gain a foothold on the business network. The more information available about your company, the employees, the plant systems, available positions and locations, etc., the easier it is to craft an attack with a higher probability of success.
To be sure, there is certainly good reason for putting specifics in the job postings, especially with the need for specialization. But, while reconnaissance of an organization or individual is one of the more difficult aspects to prevent, there are steps that can be taken to help minimize the amount of sensitive information that can be harvested. For starters, organizations can:
While this is just a subset of some steps that can be taken, the goal is to make organizations more aware of the potential exposure that they may not have thought about before. In any case, it is clear that protecting an organization from attack requires support from the entire organization, from HR, to the cybersecurity team, and to every employee, contractor, and partner as no organization is immune to this threat.
Michael Piccalo is an OT/ICS Principal Engineer with Forescout Technologies. With over 25 years of experience in the cybersecurity industry, he worked on deploying some of the first firewalls protecting OT and critical infrastructure back in 2001 and served in the U.S. Air Force prior to that working in various fields including communications, intelligence, and security.