Only 4 engineers had this level of privilege at lastpass, how did the attacker identify the target? Linkedin... that's why you should not list where you work until you're no longer working there or list a completely different role than what you're currently in.
I'm listed as a janitor of where I work. Only those that know me, know what I really do.
I've tried to sell the policy forbidding employees from listing their positions or where they work on linkedin, each time management frowns and says no. One day they'll come around...
> I've tried to sell the policy forbidding employees from listing their positions or where they work on linkedin, each time management frowns and says no. One day they'll come around...
Forbidding employees from listing their role on LinkedIn would put them at a major disadvantage in job searching and recruiting.
Forcing employees to hide their role is unreasonable. The company doesn’t own the employee.
I disagree, but disclaimer I work at a company that allows you to.
If you work at an organisation like LastPass in a privileged position, then you need to be aware that you are an enormous target. And it's not just your own or the companies security you potentially compromise, but millions of others arguably most sensitive information.
In Australia, if you have a security defence clearance, you are not allowed to display that in your social media networks (e.g. Linkedin), despite that potentially being important to your other job prospects in such industry. For those exact reasons.
If your LinkedIn said you were a DevOps engineer at LastPass, you know for sure that they're a prime target.
I'm not arguing the legality of it, just the problem it poses if you don't. Perhaps the solution is to tighten who can see your position and you diligently only connect with people you absolutely know and not have connections of connections on.
I would assume you're still allowed to post your to social media in Australia. Security clearance is not a role. I doubt people post they have access to all the infrastructure on their linkedin but you can infer it by the role.
Linkedin doesn't even matter since you can buy the data any way. Email Signatures are mined to get role and contact info for databrokers. Anytime you email outside of the org, the CRM software could be grabbing that info and feeding back to a databroker. Not to mention people using addons to their mail clients. Why I don't use one at my current company even though it is company policy to have one from our HR department. Thats just email. There's also the credit report data that has your role on credit applications and also when you donate money to politicians/PACs that makes you list your role for compliance reasons.
Yes, I don't know any company in Australia that doesn't allow you to post to social media. In fact in the company I work for it is actively encouraged.
My point being is that there are details you aren't allowed to put on your social media accounts, for the reasons we're debating.
Have you consulted a lawyer to check if you can even forbid employees doing this? It sounds unenforceable to me (depending on your country, YMMV of course).
In the US, it's legal under threat of being fired, since companies can fire you for any reason as long as it's not discrimination of a protected class.
>Labor Code section 232.5 prohibits an employer from discharging or retaliating against an employee who discusses or discloses information about the employer’s working conditions.
No employer may do any of the following:
(a) Require, as a condition of employment, that an employee refrain from disclosing information about the employer's working conditions.
(b) Require an employee to sign a waiver or other document that purports to deny the employee the right to disclose information about the employer's working conditions.
(c) Discharge, formally discipline, or otherwise discriminate against an employee who discloses information about the employer's working conditions.
(d) This section is not intended to permit an employee to disclose proprietary information, trade secret information, or information that is otherwise subject to a legal privilege without the consent of his or her employer.
I'm not sure if it's counted as trade secret or otherwise privileged information though.
I’m not saying security through obscurity is an entirely false practice, but attempting to hide where you work is only going to obfuscate the truth. I’m sure sites like rocketreach* scrape from more than just LI.
*Please don’t pay this mob money, they are rent seeking, bottom feeding scum.
Thank you for proposing to cure the lack of competence with the lack of freedom, but the easier source of target identity is the August 2022 breach of LastPass
Insider Threat is real, can't discount that at all. What I can tell you as someone who participates in OSINT competitions and has engaged in red team activities, Linkedin is always the first stop when shopping for info.
Edit: Also wanted to mention 3 out of 4 incidents I am involved in is related to insider threat.
We can't discount the insider threat at all, but it's very easy to discount such shallow measures. Also, this wasn't a competition, and even there "the first stop" tells us nothing about its effectiveness (maybe the next 5 steps take 5 mins longer, but are even more accurate, so the benefit of the ban would still not exist)
Plenty of people work in roles they can't speak about when engaging with the government. All I'm advocating is not to broadcast it to the world, as it puts the person and their employer in danger.
I'm listed as a janitor of where I work. Only those that know me, know what I really do.
I've tried to sell the policy forbidding employees from listing their positions or where they work on linkedin, each time management frowns and says no. One day they'll come around...