There have been a few times where social engineering was attempted with one of my customers. Sometimes I wind up taking the phone call after someone calls the help desk looking for some information we would not normally give out. On one occasion someone from the help desk walked back to my office and asked me to take a call because a customer was upset about our security configuration. The help desk person did what all help desk people do, help the customer with a problem.
Someone doing social engineering may try to make it sound like the information they want is critical and resort to threats and intimidation. Always stop and ask yourself, would I give this information to a bad actor? What can be done with the information if it fell into the wrong hands. Was the person who called vetted?
The call went something like this.
Customer: “We are setting up a new account. I have our security person on the line and he wants to ask you a few questions. Can you help us out?”
Me: “Sure, whats the problem?”
Security person. “Hi my name is Jim and I am responsible for the security of our information that we send you. I have to approve sending sensitive information and have a couple of questions.”
Me: “Shoot.”
Jim: “What types of firewalls do you use? What is their patch level? What is the web server? What is it’s patch level? What is the database? What is the patch level? Is the database encrypted? What encryption are you using? Do you encrypt the backups? How do you enforce password security? How complex are your passwords? How can I extract information for the database once I send it to you?”
Me: “I”m sorry Jim, but I can not give out that information. If you are setting up an account please read the FAQ. That will answer all the question you need to setup an account.”
Jim: in a stern voice “Listen, if I don’t get this information then I will not approve sending you the data you require.”
Me: “Jim, if you decide not to send the data that is your decision, but I will not be telling you anything about our security, period, end of story.”
Customer: “Please we just need to know how you secure the data so we can send you the data you require.”
Me: interrupting “Madam your security person can explain to you why you do not tell anyone how you secure information. I am going to instruct the help desk that all questions that deal with security be directed to me or security.”
Jim: “Listen I will call the director and have you fired if you don’t give me the information.”
Me: “Really, good by.”