CSO

This entry was prompted by a recent study by CareerBuilder.com which showed, among other things, 63 percent of employers who reviewed applicants’ social networking profiles decided not to hire them based on what was discovered in those profiles. Reading this, it occurred to me to take a random walk through some of the social networking sites, including personal blogs, to get a feel for the type of information available. In taking that walk, I used several new search engines that focus on just these types of sites: Pipl.com, Peekyou.com, Wink.com, and Spock.com. The point of my research was to see what, if any, information was available through these sites that would be of use to, say, a social engineer. What I found greatly surprised me.
 
These sites, particularly employee blogs, provided an amazing range of information that could easily be exploited by a social engineer in gaining access to an employer’s systems and data. Employees freely talked about their supervisors by name, the buildings they work in, their co-workers, and even the projects they were working on. To my surprise, there was also much information regarding the specifics of their employer’s business plans, products, and services. Some of this information seemed clearly to be confidential to the business, even constituting trade secrets. It occurred to me that a potential hacker would not even need to engage in social engineering, but only review the relevant sites to obtain valuable information about the companies the hacker was targeting.
 
While businesses cannot, in general, legally control the information employee’s post on these sites, they can emphasize to employees their contractual obligations to protect and preserve the confidentiality of the business’ information and to sensitize employees about the risks of posting company specific information on public forums. Employees need to understand hackers have been actively trolling these sites. Given the exponential growth of networking sites and blogs, businesses should consider implementing training on these issues as soon as possible. At minimum, it would be time well spent to invest a few hours one afternoon running your company name through these search engines. The results may surprise you.