You Must Search Before You Destroy

better awesome thanks guys so i've noticed that a lot of lots changed since i've been laid off in the last five years the market's changed a lot and i found something kind of disturbing that's happened in the last several years i'm talking to a lot of other people that have been employed unemployed lately as well and some of these guys are having a hard time finding jobs which is odd this is really strange because the unemployment rate in the united states for information security professionals is .67 and i do believe that honestly honestly there should always be a certain percentage of people always unemployed yeah you have those co-workers so 0.67 so why why are people having a hard time

finding a job so this is some original research i did i i did the other day and i did a search on on indeed and monster and i looked at the number of job postings for cissp and then i divided that by the population of that job market and i found utah is second to the last there is only one job posting per 78 000 people in that job market whereas who would have thought denver denver is the hottest market right now for information security professionals almost seven times as many jobs per kappa than there is here in the salt lake market uh when you look at other job titles like information security architect same kind of thing

you're seeing 212 job openings in in in denver you're seeing 19 in utah when you adjust that it's it's another nine times difference so you know just something to think about why in this market are companies not investing in information security why why why is that i'm i would love to to have a drink with someone at the bar tonight and figure out i've not figured out why all the variables why companies in utah aren't investing in information security professionals now i i have noticed that three-fourths of the jobs that i've applied for they're work-from-home jobs uh at first i didn't know how to find those jobs just so anyone else if you find yourself in the same situation

uh go to indeed and under the where put remote and that'll list all of your work from home jobs okay now to my real talk that was just a little side bit informational thing that i just found is interesting and thought i would share maybe give you a little warm hug and figure out why you hate living in utah so has anyone ever heard before everyone heard this from senior manager we do more than our competition does to protect our cust customers data oh we you know we we invest millions of dollars millions of dollars to investor cost to protect our customers data we you know how could this breach have happened we spent all this money but we still got

owned what's up with that you know using public information i i can find all sorts about a company without even running a an in that test if you're going to do a pin test google is your friend so you don't need to generate all of this noise before while you conduct your your preliminary phases of your of your pen test cut your noise out with google and let me show you some other other ways that you can harvest really great information for a pen tester all from these public sources having having this data i can actually build org charts and so when i'm when i'm doing social engineering i can go into the org chart

and say hey because i have the entire org chart up when i'm doing social engineering pen tests and i say okay i know everyone in the company and a lot of times i have their phone numbers their email addresses so it makes pen testing so much easier i.t and staffing levels execution in the boardroom i've been able to go into the boardroom and say hey all of our competition they they have x number of information security professionals per thousands of employees why are we staffed at one tenth of staffing level as our competition uh using this information has provided me ammunition to to get more i.t staffing from for my departments because ultimately i i can say i'm secure not secure but

really all my all my management cares is that they're cooler than our competition is so how can a bad guy use this information okay if i was a bad guy and i saw two separate companies and i saw that this the this company over here had a hundred infosec employees and this this company company b over here had 10 employees which would i choose as a target so having this understanding helps with target acquisition as a bad guy um

project just justifications are great uh to justify your projects knowing what your competition is running helps you justify your projects uh for example uh at my last company i've been trying to push a citrix vdi project through i wanted to to remove all the data off of everyone's laptops uh containerize it and make it as so it was a one-way container and management kept pushing back on me because it was a large financial investment it was a lot a lot of money and so and for a year they told me no and then i started i came up with this this method and that's when i went to management says okay tell me who you perceive as

our top 25 competitors i want to know who you perceive as being competition then after that i took that list of of who they perceived as the competition and then i turned around and that's when i started doing doing my analysis because they took those people as serious then i went into the board and says hey 72 percent of our competition is using ddi today uh another 11 percent have opened job requisitions looking for vdi professionals so that's 83 percent of our competition is using vdi and all of a sudden one of the the executives in the boardroom turns turns to me and says well if they're doing it why aren't we i i my my head was like

but all of a sudden their their light turned on because all of a sudden it was real to them they don't care what what gardner group says wow i form it wow okay so so where is all this data coming from that we're finding on the internet well it's mostly coming from your the employees that you you have and your hr departments they're the most guilty so let's let's go into how we're going to find this so let's start with linkedin profiles

so first we need to have a discussion around being able to do meaningful search on linkedin without paying a lot of money uh you need to have lots of connections originally when linked out linkedin came out it was like i'm only going to connect with with people that i know and just keep this close-knit little community well if you want to do this if you want meaningful searches you need lots of connections so you can see that i currently have 2600 connections but i can see their friends and i can see their friends are friends so in reality i have access to 29 million linkedin profiles right now so the the question you're asking yourself how do i build my

linkedin network so i can spy on my competition lions lions is the key here oftentimes what you'll see is you'll see someone with their profile and it will say lion what lion means is if you send me a request i'm just gonna say yes i accept i don't care if i know you or not so it means linkedin open network i'm open to open suggestions for for requests so that's what you can actually do is when you do a search search for lions and so and then just start sending them uh linkedin requests also there's mailing lists uh that you can go to to find uh email lists of people that that are uh welcome to being lions

these are csv files at first i'm like well how how do i import all these csv files just a quick tip real quick you just go into connections say any email and then at the very bottom you can say import via csv and that's when you import these bulk lists that contain thousands of email addresses that you can connect with and that'll bolster your your connections really quick like i said before if you don't have all these connections you're gonna have to you're gonna have to pay for it even even if you don't pay for it they do have pay walls so you're only allowed as a free subscriber i think about 100 searches per month and it resets at the

first of every month so if you do too many too many searches you're going to be locked out for a month just be aware that that exists when i was doing my research i'm like oh dang it p-wall so what when i'm targeting a company the first thing i do is i i look up the company in in linkedin and what i'm looking for at first is their company size what linkedin thinks their company size is then the next thing i look for is how many connections do i have in into that company so i can see that there's 363 361 employees in linkedin which is right in that 500 000 target size and i have direct connections to half

that people so i have really pretty decent coverage uh inside that company once you've once now you start doing searches for all the employees in that company you can just say uh show me when you search for the company there's a a little link on the side that says show me how i'm connected this is how you start building your org charts it's very important to build your org charts and you can even a lot of times you have pictures with your org charts they're really pretty uh so start targeting down the infosec departments uh for these these companies that you're you're targeting okay so all of a sudden hey this guy this enterprise architect here that

works for this company uh he says that while he works at this company he did active directory 2012 exchange link 2013 office 365. hmm i wonder what they run inside their infrastructure he just he just told me right here i know that this company runs active directory 2012. here's another one i work i'm a firewall administrator i run palo altos here's the model numbers of the palo altos here's the version of my palo altos that i'm running

building budgets is also helpful when you're justifying the the size of your it department you're trying to use this information to justify your your spending at an organization it's pretty easy to estimate someone's i.t spending let's see here he's running distribution switches of 3650s and 3750 x's his looks like his core switches are looks like a pairing of 70 tens and 70 18s and he's running cisco asa 5515 firewalls it's pretty easy that for me to tell you anyone that that has some background in cisco can get on their calculator and tell me what their annual budget is it's pretty easy developers if i want to find out what what programming languages they're using in inside their development

uh i can just search for the the linkedin profiles for those developers and they they'll tell you hey i write in php i wonder if there's some java vulnerabilities if if i can find some java developers there sometimes all you have to look is job titles people's job titles citrix senior netscaler engineer do you think they run netskillers at that company odds are yes fail but we're okay sorry okay another way you can once you you have your org chart now you can go to salaries.com you take you take all the head count you found from linkedin and now you start plugging it into salaries.com and you can actually build in what their annual it spending is for

headcount what their headcount budget is so i know x company over here based on these job titles they're spending 3.7 million dollars in spending so when i go to management i can say hey they're spending that much i'm spending one-tenth that what's going on here guys so if i don't have enough data from linkedin profiles let's switch okay let's switch to resumes now you have a a linkedin or chart you've built out now you have specific names that you can go out on the internet and talk start looking for their resumes that they've posted online because i found that people put a lot more detail of what they did at an employer in their resume than they put in their linkedin

profile so what you do is you go to in indeed.com and click on res find resumes it's that middle link at the very top left and you just type in their name and then i just put in utah and so i'll go i'll walk through the entire org chart looking for people that have posted their resumes out great way to harvest information about a company so you can see this guy's in this this resume here in his resume hey i worked at this company and here's some specific things about my organization about this company things that he didn't share in his linkedin profile but he would love to share the resume that he posted online

so if that doesn't work now we switch to job postings so job when companies look for people they'll they'll tell you the world of what they're looking for they'll say i'm looking for a java developer with this version of java that has this experience or i'm looking for a assistant sys admin that has cisco ucs yada yada yada so now just by reading a job posting i pretty much know what their infrastructure is so there again when i do that pin test i can generate a lot less noise so you can see this company here is looking for specifically a vcenter 5.5 guy that has experience in vm turbo this tells me a lot about the

organization

same kind of thing i can see that what their anti-virus program is so if i know what if i know what their defenses are if i if i can look at an organization and says okay you're you have an in-depth a defense in-depth strategy you're running these security uh protocols and these products i'm gonna go ahead and fire up in my lab that exact same environment and i'm going to start creating exploits and payload that i can test in my lab before i i try it in on that company so it helps me develop payload as as a pen tester or as a bad guy because i can mirror what their production environment looks like

one of the trouble things that i didn't find that i wish i would have found was a free site that allowed me to do historical searches on on companies job postings uh i found one website that does it but charges tens of thousands of dollars to basically say show me show me every posting that this company has ever made for assist admin uh if you guys know the site there's a warm hug in exchange for that information another awesome place to find disclosures that they shouldn't be posting press releases this this this example here comes from vmware so vmware did a case study of cornerstone landing it's a mortgage company and so in the case case study they says

okay our vmware environment consists of hp bl blades with this much memory so if if i'm trying to do an estimate estimation of of how much of a denial of service attack how much hardware i'm gonna need to flood out their their uh their vmware environment that that pretty much tells me exactly what i need i know exactly what kind of storage they have and they they published it right in their white paper when they did the case study and then also here's another great one they had a video they had a video of their case study and they see they show these guys in their data center and all of a sudden so i don't even care

what these guys look like that they're wearing those little hot sexy man blue shirts what i do care about is what they're standing in front of so on the left one there you can see a vnx i see two big ip controllers i can see specifically i can see exactly what technology they're running in their data center because they took a picture and posted it online uh i was floored see the number of data center photos that i was able to find from companies online it was like really really you posted a picture of your data center online really now some of you might be going well i don't think that's a big deal but others i think others in

this audience are the lights coming on going maybe this isn't a bad idea you know other thing in this this posting they they took a screenshot in the video of their public of their vcenter environment this is they're like here's a picture of rv center with all of our server names they put in a press release so these are not the kind of things that i'm looking for so i can quickly do an analysis of a company in an hour or two so the question you can you can ask yourself is this worth doing once or twice a year spending a couple hours once or twice a year and and as an information security professional and and just going through

and just searching for this really quick um i went to our hr department our legal department isis okay do i have the ability and the right to tell sysadmins that they may need to take certain information off their their linkedin profiles and the the feedback that i got from my legal department when i did have a job was the combination well running a particular technology like cisco is is not wouldn't say earth shattering the combination of technologies that your company is running and can be construed as your company's secret sauce the combination itself could be eluded as proprietary information in of itself so the people the legal people i talked to said yes because in most employee agreements it

says that you cannot disclose proprietary company information but check with your legal departments so first off should we we talked about if we should if should we monitor this should we watch for this so how do we stop it how do we stop this disclosure of information

having company policies in place a second don't use vendor-specific job titles uh instead of instead of saying citrix admin or vcenter admin uh just call it a cis engineer or assist admin so work with your hr departments and into making your job titles more generic and not specific towards a protect a particular technology i i did some scouting in that list of of companies that my organization took as being serious competition i found one particular uh organization that they had post they you could tell they had gone through and sanitized because when i searched that company all their i.t guys all it said was sysadmin no description note of what they had while they worked there

and when i looked at their job postings they were very vague and so what they had done is they were leveraging their hris systems and their hr departments because now when they when they post a vague job posting it takes a lot more hr resources to to filter that down to what they're actually looking for so they relied heavily on their hris system to filter out job submissions people that had made job postings to really get what they were really after so it was a bit more work for their hr departments um i'm a kind of guy that just talks quick uh if you'd like to link in with me there's my there's my contact

information if you'd like to send me a linkedin information invitation there's my email address that's pretty much all i have does anyone have any comments questions useless trivia yeah go ahead

i didn't go down so what he asked was is are there any other sites that you've used besides linkedin or indeed or or what you presented in this presentation you know you have sites like montego uh which is another great resource twitter uh facebook but where i had the most luck with that i didn't mention in this is once you have people's names from that org chart that you did so you created this org chart now you start scouring uh message board forms for for postings that that person has put like i love to scour microsoft's technet site looking for for postings that that questions that that engineer has posted uh because a lot of times people

disclose too much on on on forum sites uh that's that's another one do you have any is there any other suggestions that you would you would have

yeah so so any any site that people were willing to disclose sensitive information on go glassdoor that was my other one i forgot to mention that yes glassdoor is another great uh great website the people will disclose too much it's like buying buying an engineer a beer he'll take anything any other questions okay guys appreciate that thanks guys