Sunday, April 15, 2012

Sales People and Social Engineering

Had an email exchange with an unknown sales person from a company I have never heard of before:

Email 1:
PSG: We are blah blah managed security provider doing SIEM, IPS monitoring, etc. Do you have 15 minutes for a call?
Me: No. We do these inhouse and have no need for your services.

Email 2:
Thank you for the feedback. Generally, when a client has an in-house SIEM tool, I like to always ask the following questions to help better understand if the tool is effective.
  1. What are you doing for alerting for all your critical device?
  2. If you had a breach, how quickly would you know about it? How effectively would you be able to react?
  3. Do you feel that you have it fully deployed in your environment for all your critical devices?
  4. Do you have a dedicated staff to support this tool effectively?

I know these are tough question to address over an email. Would you be available for a 15 minute call this week?

Me: No. This is information I would not discuss without an NDA and a legitimate business reason.

Email 3:
PSG: You are right. Here is our mutual NDA--please sign an send back and then we can discuss.
Me: No. I have no "legitimate business reason" to discuss this with you. Please take my name off your list.

Emails are a bit abridged except for email 2, which is a copy-paste of the original.

I could answer 4 I suppose, but 1-3 would be considered highly confidential information.

Perhaps my first mistake was engaging with him in the first email, but I sympathize with sales people and wanted him to use his time efficiently by knowing that he will not make a sale here.

But the subsequent emails, apart from putting himself firmly in my blackhole list, got me thinking.

How much does it take to set up a website, print some business cards and get a 800 number? I think $1000 is adequate. Even better--invite a number of local security people to a lunch-and-learn. At about $50/head (3 course meal at mid-range steak house in the Metro Boston area), an attacker can get pretty good information by asking just one question: "What keeps you up at night?"

I've been to area meetups where security people describe internal controls or security problems in front of a room full of strangers.

We do awareness training for general users. Is it time to do a specialized awareness training for security people?