Go on any security Web site and their bestpractices state that you should “never view, open, or execute any emailattachment unless the attachment is expected and the purpose of theattachment is known.” But what if it’s your job to open attachments?
In this day and age, human resources (HR) managers post job openingsonline to get the widest possible distribution. Gone are the days ofnewspaper ads and window postings; managers want to attract as manyqualified applicants as possible and Web postings are inexpensive andeffective. This may be one reason why HR is a weak link in the securityof a company. Many companies prompt applicants to email their resumeand cover letter directly to the HR department or a specific manager. Iwent to a dozen international company sites and found that half of themhad the same application process.
To apply for positions on our team, respond by email firstname.lastname@example.org. Please attach your resume in Microsoft Word(*.doc), Rich Text (*.rtf) or PDF (*.pdf) format and include the nameof the position you are applying for in the subject line.
Depending on the size of the company, HR managers receive dozens ofapplications a day and are expected to filter though them to find themost qualified person for the positions. But in order to filter throughthe emails, managers are required to open the resume attachments andoften do so without taking precautions. This turns out to be aconvenient entry point where attackers can gain access to companyservers and sensitive information since HR usually stores all employeepersonal information, including social security numbers and bankaccount information for direct deposit. Attackers can conduct targetedattacks on these companies by sending malicious attachments that onceopened, allows them to gain control of the user’s computer.
The main problem here is that best practices inform people not toopen attachments if it’s not expected. This reminds me of when I wasgrowing up, my parents and teachers told me not to talk to strangers.They described strangers as shadowy, sinister creatures, lurking indark alleys and not to approach them no matter what they offered (Ioften pictured them looking like Snidely Whiplash).But what about strangers that come to the front door asking for Mr. orMrs. Low? Are they still strangers since they know my parents’ names?Not all malicious emails come in the form of anonymous addressessending flashy adverts written in broken English asking for your credit card information. Some may appear as legitimate and valid, such as a job application to a Web posting.
One method to overcome this vulnerability is to use an onlineapplication system where applicants are required to cut and paste theirresume into the Web application. This removes the step of having toopen potentially malicious documents. Now, if HR could just automatethe hiring process.