Wonder how hackers know where your company's network is vulnerable? Your online job postings may be the culprit. Do they hint where you're weak in IT staffing? List specific operating systems and hardware that candidates should be familiar with? If so, you've provided enough information for the bad guys to break in.
"Ninety percent of companies have a Web site used for bragging rights. They want people to visit them and see how good they look and what they do, and part of it is also to recruit quality employees by listing available positions," explains Robert Schperberg, a digital forensics expert who just published the book CYBERCRIME: Incident Response and Digital Forensics. The problem with highly visible job ads, he said, is that the computer criminals also scrutinize them to see where there are weaknesses, not only in personnel but in potentially unpatched software and hardware that can be used to attack networks.
"We announce to the world what we're using and make it possible for 'reverse intent,' in which hackers use the same manuals and how-to books to figure out how to penetrate your system," said Schperberg, a former law enforcement officer who now works as vice president of operations for consultancy TeleDesign Security Inc., in Berkeley, Calif.
Schperberg specializes in incident response, a process that's becoming a priority for organizations increasingly under scrutiny after more than a dozen well publicized security lapses. In February, database broker ChoicePoint Inc. admitted its staffers were conned into giving up confidential information to identity thieves, putting more than 145,000 unsuspecting consumers at risk. Most recently, a credit card processing company, CardSystems Solutions Inc., acknowledged that 40 million credit cardholders' account information was exposed to hackers. Both companies are headquartered in the Atlanta area.
Disclosure laws like California's breach notification act and regulatory compliance violations are bringing security infractions to light. "A lot of companies don't have a choice anymore in withholding information," Schperberg said. "That's a different story from three or four years ago."
Many security-related laws like HIPAA require an incident response plan, but whether it's followed is another story. Often, people are unsure of their roles and responsibilities in the time of a security crisis. "I find the lack of training is one of the most crucial places in being able to activate an incident response," he said.
Schperberg said companies need to invest more time and training into creating enforceable policies that extend to everyone from executive management to end users and technical staff. Awareness and accountability are key.
A former digital forensics specialist for the Alameda County Sheriff's Department near San Francisco, Schperberg likens the relationship between security practitioners and computer criminals to his stints working in the county jail. "I'd put in 8 or 10 hours a day trying to keep these people from getting outside. Then I'd go home and forget about it," he said. "The prisoners -- they're in there 24/7 thinking of nothing else but how to escape. Similarly, the IT manager goes home at the end of the day. He had other things to do. But those other guys -- that's all they do. Hours upon hours, all they do is figure out how to penetrate your system."
Note: This story originally appeared on our sister site, SearchSecurity.com.