Are you a new InfoSec professional, perhaps seeking your first job in the growing field of Information Security? Many years ago, before the internet existed, a person would use the local newspaper to perform a job search. The usual protocols were often followed, including the sending of a resume, an introductory phone call (if the recipient liked the resume), and then a subsequent job interview. Back then, a job candidate was always advised to “learn something about the company” to which they applied. This was good advice, particularly when the interviewer would inevitably ask the candidate “do you have any questions for me”.
This advice still holds true today. When interviewing for a job, whether it be for a small organization or a large company, it is still a good practice to know a bit about the company where you have applied. Thanks to the internet, it is now easier than ever to find out about the company. (Pre-internet, it took a bit more leg-work, involving things such as a library search to see if the company had any journal articles written about it, or in the case of a smaller company, a search for their local reputation, possibly involving even a telephone.)
This advice becomes augmented if you are applying for an InfoSec position. Not only should you know about the company’s general business, but you should also know as much about the technical aspects of the company, especially if you are applying to protect those assets. Gather some Open Source INTelligence (OSINT) to have a deeper discussion about the company.
The first interviews are usually non-technical, and this is where your general knowledge of the company will come in very handy. Visit the company’s web site and learn about what they do, who is their leadership team, and any other general information that is available. This is the company’s public face, and the information here is the positive information that they want others to know about them. This is not the time to impersonate an investigative journalist, seeking secrets from the dark web. You want to work for these folks, not scare them to death. This general information will also serve to ease any interview jitters that you may have. In addition, you can search GlassDoor for what to expect in the interviews.
If you pass the non-technical interview, then you will move onto the more technical interviews. One such method to perform the OSINT search for the technical interview is to check the DNS information about the company. Sites such as DNSStuff.com, and FindSubDomains.com, are good sources for this information. There is plenty of inferential information to be gained from this type of search, such as where the company hosts their data, and possibly information about their infrastructure. This can give you better insight into their operations, as well as stronger discussion points for your technical interview.
If you meet with the InfoSec team, you may not have the luxury of knowing the names of each individual in advance; however, as you progress up the chain of command, you will most likely know the names of your next interviewers, since they play a more prominent role in the organization. This is where you can use tools, such as LinkedIn, Facebook, Twitter, and Pipl.com to find out more about those folks. Don’t worry if you are concerned that they may be notified that you clicked on their LinkedIn profile page. If they are InfoSec managers, it should not come as a shock that you are performing this reconnaissance. In fact, they may be shocked if you don’t do this simple “homework” prior to an interview. Remember that certain names are nicknames, so if you can’t find a guy named Bill, or a woman named Liz, be sure to try William, and Elizabeth, respectively.
This is where your OSINT exploration should end. Resist the urge to test any of their systems, defenses, or anything else that will get you rejected from consideration; it may also get you in legal trouble.
Remember that the purpose of performing OSINT on a prospective employer is to open up a richer interview conversation, perhaps find some common areas of interest between you and the interviewers, and to learn a bit about your possible new co-workers. You can be sure that they have probably done the same to learn more about you too.
Wishing you great success in your job search.