Monday, September 13, 2010

Phishing

A dozen or more times per year I get a cold call from a software vendor, recruiter or news organization to provide information. The vendors typically want to know what types of products I'm planning on buying in the next 12 months. The recruiters want a Project Manager or developer for some client. The newspapers want me to sign up for their magazine or stuff so that they can claim a certain level of circulation.

In all of these situations the person cold calling me is looking for new information. They would call them leads. Please know that I have nothing against any of these people, in fact, we (the government) need them just as much as they need us. It is a symbiotic relationship.

But, we all now must complete the annual cyber security training. Part of that training involves the idea of phishing. While I believe that each of these people has completely benign intent, we (government employees), really shouldn't be giving out any information.

Thus, when ESRI or Oracle calls to inquire about how much we use their products and what we'll be spending next year, no. In terms of technology, if an unscrupulous person knew the technology stack we were using, that person could be more efficient in penetrating our defenses.

The recruiter who wants the name of a good PM in the Agency, no. If I gave you the names of the PMs or developers I work with, you could use that information for a social engineering attack.

Or when FCW comes calling for the subscription, but I need to identify how many people I work with and the scope of those projects, no. Anyone who needs me to supply information in order to feed the relationship is necessarily cut off. This could be both of the situations above, the technology stack and a social engineering attack.

Am I not being pragmatic or realistic? Maybe. But you know what, when these people call me, I don't know them at all. I can't vouch for them. Who is to say they really work for the organization they claim. So, sorry guys and gals. It isn't personal, I'm not permitted to supply the information. I would if the rules allowed me to, but until the rules change, don't bother.
Posted by at

1 comment:

  1. UnknownSeptember 15, 2010 at 2:40 PM

    Good points. I've not been as diligent as I should be, but I would never give a colleague's name. You hit that one spot-on. Let's say an attacker needs 10 pieces of information to be able to begin launching some sort of attack. If I give them 2 names, and those people give them 2 names, and so on . . . it would greatly increase their chances of success on a social engineering attack, to gain those 10 pieces of information. It's definitely best to be guarded and reveal nothing. Nice post.

    ReplyDelete

Subscribe to: Post Comments (Atom)