Re: Screening Process

[Pete Herzog <lists () isecom org>]

Hi,

> Has anyone ever tried penetration testing on the Screening & Hiring Process
> for employing new staff in your organisation? Do you have any sample test
> plans you used?

Years ago we offered a tool called Jack of All Trades on the ISECOM
website that gave multiple scenarios for the candidate to think
through. The types of results the candidate gave were indicative of
the type of tester they would be. For example, did they only pick the
obvious answers and stop or did they think outside the box? Did they
know technical details or did they stick to pedestrian descriptions?
And did they communicate effectively whether they knew the answers or not?

We offered Jack as a hiring tool in the office and then reworked it
and integrated it into the OPST and OPSA courses as exercises to get
students thinking critically and creatively. In many places the OPST
and OPSA are benchmarks of ability to test but the Jack exercises may
still be useful in the hiring process.

Of course, if you meant actually testing the HR department's hiring
process as in sending a person through the interview to see how much
info you can glean from them well then you should check out the Human
Security testing portion of the OSSTMM.

The updated "Jack" here: www.isecom.org/Jack_of_All_Trades.v2.pdf

OSSTMM here: www.osstmm.org

Sincerely,
-pete.


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? 
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------