In a recent piece I authored, here on ClearanceJobs, I call out the OPSEC by a company when they were approached by a security researcher who informed them that they had a security issue. The folks within the company handling the web-interface/communication thought the approach was a phishing attempt and ignored it. When the security researcher called in, they again thought it was an attempt to manipulate the company, and ignored the researcher. Please don’t be like that company. Train your HR and comms team to contact the FSO and to listen to anyone who is claiming your information is flapping in the public breeze …
Article link: https://news.clearancejobs.com/2017/09/06/resumes-veterans-applied-via-tigerswan-2008-2017-exposed/
Perhaps more egregious, according to Vickery, he advised TigerSwan of the issue and thirty-days later, the issue remained. Who does that? A quick search on the net would have revealed Vickery is a highly respected security researcher. Perhaps search isn’t TigerSwan’s strong suit.
Every CI officer knows, you listen to the whole story from anyone who says you’ve been penetrated or your information is exposed. Then, after you have what they wish to share, you analyze whether the information is credible. The fact that Vickery was able to produce the raw documents would have quickly established that TigerSwan’s pool of applicant resumes was blowing in the breeze.