The humans behind Hireserve: Anton
This time, we’re talking to Anton Deblasio, our Front End Team Leader.
Anton has been with Hireserve for almost five years since first joining as a KTP Associate, fresh from University. Now managing a team of front end developers and responsible for the look and feel of our customers’ career sites, Anton is also our go-to guy for all things system security-related (especially as he’s MWR Info Security accredited).
It’s now more important than ever to ensure your candidate records and job data are kept secure, so we asked Anton to share his knowledge and experience on the topic.
Hi Anton. Can you get us started by defining what makes a system secure?
For a system to be secure, it needs to adhere to base criteria. The best definition of this is to use the CIA Triad, which represents the three main pillars of a secure system.
1. C is arguably most important: confidentiality. As an example, this means that candidates shouldn’t see each other’s information, a user in one organisation shouldn’t be able to see the jobs of another organisation, and the hiring manager shouldn’t be able to see equal opportunities info. Vitally, attackers shouldn’t be able to access any information.
2. The next is I: integrity. A system has got to be able to ensure integrity of information – so monitoring who is updating data, making sure the right people are accessing data, and ensuring that information isn’t lost, isn’t damaged, and is only visible to authorised people. For a recruitment system, examples of this data are candidate records, job information, and so on. This can also be non-human related – so is the system saving the information correctly or introducing errors in the information?
3. And A stands for availability. A secure system needs to have the ability to stay online at all times: if a hacker is able to prevent someone who should be able to access the system from doing so, then it’s not secure. To put it into context, if a recruitment system was attacked and a user couldn’t login to access their recruiter portal or a candidate couldn’t apply for a job, it may be because of large volumes of requests sent from an attacker. To reduce the risk of this, simple steps can be taken, such as making sure the system software and hardware is kept up to date and appropriate for purpose.
And why is it important to have a secure system?
I guess in an increasingly digital age, there are big volumes of information stored online. So leaving it open to an attacker gives such an opportunity for identity theft, fraud, and similar.
Gulp. What security risks are out there – what should a recruitment system user be aware of?
The most common broad attack is a Distributed Denial of Service attack (DDOS). These are quite common at the moment and involve a person or people firing lots of requests at a system. This will mean that, because the system can get overwhelmed with these requests, no one else can access it. It’s a very easy and very common act.
Whatever system you go for, it needs to have the ability to block and respond to Denial of Service attacks and be able to monitor these. Large scale phishing attacks like spam emails with infected content are also very common so it is important that users only open attachments from people they are expecting them from.
What’s the point of an attack like DDOS?
Well, the result is mainly brand damage. If a big brand’s site, like Coca Cola’s, is taken down, it’s going to make news – even if in reality the site is not breached at all but has effectively just been overwhelmed. In the context of recruitment, putting an organisation’s career site out of action is not going make a candidate want to apply for a job with them.
Got it. So how could someone tell if their recruitment system and careers site is secure?
The key thing to look for is that your careers site and login for the back office is running over HTTPS. That should be Number 1.
Make sure your recruitment system supplier has been audited by security consultants, as it’s a good way to ensure that the latest OWASP standards and good practices are being met. We had ours earlier this week, which is reassuring.
We also run a lot of our sites through SSL certificates and they all get As on a scale from A-D (D is very worrying security level). This shows that both the certificate is strong but also the method of implementation is not vulnerable to common attack vectors.
A lot of security can start with recruiters themselves taking a few extra steps to make their system more secure. An enforced, strong password is the cornerstone of system security: if you’ve got weak passwords it doesn’t matter how secure your system is, people will still get in.
There also needs to be diligence from recruiters to make sure that any files or links sent to them are not to malicious sites, or that they know the contents. As a general rule, only open or run files if you know the person who sent it to you and you’re expecting something. Even PDF and document files can be used to compromise a person’s computer.
If someone runs a piece of software on their system, that’s the golden ticket, as it allows an attacker to have foreign access to an internal system. Regular updates to PCs and a good antivirus can also be good steps to being secure.
And finally, what should you ask your supplier in terms of security?
‘Do you get externally audited by security agencies?’ is a good question to start with, and ask if they have any security references from previous audits.
Then you should think about asking if they have enforced secure password policies, such as setting minimum requirements for candidate portal passwords like numbers, mandatory non alpha numeric characters and minimum lengths.
‘What measures do you have in place to keep candidate data secure?’
Finally, ‘Where is information kept?’ is another important one. You should also ask which country company information is stored in, as some may have different Data Protection Laws.
Find out more
Meet Rob, who talks implementation, customer service and the kitchen sink
Discover why the 3 misconceptions of recruitment software are pure myths
Talk to us if you’re concerned about your current system’s security