II don't expect my largest operating system and general information processing product vendor to call asking the same questions I'd expect during a social engineering phone call, even if ostensibly conducting a phone survey. But it appears that’s exactly what happened recently.
Last week, I received an interesting call from Microsoft. At least he said he—we'll call him Bud—was calling from Microsoft. Bud told me his purpose was to survey our use of products and services in order to serve us better. I thought this a little odd, especially since we, as a large company, have a Microsoft account team that visits regularly. However, I had a few minutes to kill. So I told Bud I'd answer his questions.
The first few questions were harmless enough. My position, the size of the company, and whether we were primarily a Microsoft shop. Then things started going off in a troublesome direction.
Bud asked what kinds of firewalls we use and how we use them. Since he wasn’t sitting in front of me, and I had no way to validate his identity, I told Bud I preferred not to answer the questions. Undeterred, Bud continued with other questions related to patch processes, OS and other system-level versions, and IDS/IDP implementations. OK. So he wasn't asking for specific configuration information. But if Bud was a black hat, I prefer he work for every bit of infrastructure information he obtains. I cut the call short, informing Bud that I didn’t feel comfortable answering his questions.
So was Bud really from Microsoft? Is there any real harm with Microsoft knowing our infrastructure and security design? Microsoft engineers and our TAM have more information than Bud apparently wanted. Then why was I reluctant to share high-level configuration information with one more Microsoft employee? Easy. I had no way to confirm Bud was who he said he was.
The first step in attacking a specific cyber-target is research, getting as much information as possible about the target organization and its network. This is followed by passive or active scanning to identify responsive systems, system types, open ports, perimeter defenses, detection capability, etc. Although much of this information is available if a black hat works hard enough, I don’t plan to make his or her job any easier. After all, the whole point in implementing the right mix of security controls is to increase an attacker’s work factor. Consequently, people I don’t know calling for information I try to hide cause a lesson my parents taught me to pop into my consciousness: don't talk to strangers.
So it doesn't matter if Microsoft was on the phone. If a black hat was calling to get tips on network configuration and security, he was disappointed. If Microsoft was indeed calling to ask about my systems, I'm concerned about its lack of understanding about what are and are not acceptable infrastructure survey practices.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.