Ring, ring. “Hello, is that the IT Manager? Can I ask you a few questions for a survey? <preamble here to build a relationship and feeling of trust, like complimenting the company or asking what the company does, saying that it’s impressive or hard work>. Can you tell me what Anti-Virus product and version your company uses? How often do you push out updates centrally? Do you have trouble keeping up with Microsoft Patches and testing them? <insert scare story here about Microsoft patches breaking entire enterprises>. What firewalls do you use? What intrusion protection do you have? <instil embarrassment in IT manager that they don’t monitor their IPS> What security products do you use? What are your password policies?”
Ever had a call like this? Did you ever respond to their questions? Did you think that the company was going to help you by providing products and services to improve your security?
Information disclosure as a security risk
It’s easy to see this phone call as a risky situation in retrospect. You might think you are secure because you have firewalls and anti-virus and apply Microsoft patches in the same week that they are released. However, consider this important fact.
Every security product has vulnerabilities.
So, by telling the caller what products you are using, you are giving them (or even someone who steals information from them) an attack vector. By stating your firewall product, the attacker only needs to research or try known vulnerabilities with that product. When you let them know that you test Microsoft patches for a week before pushing them out – they know that they have an opening of 7 days to try and exploit a vulnerability. You may think that it’s great to tell a security company that you mandate complex passwords with a minimum length of 10 characters – but that means their attack dictionary can ignore all simple passwords and passwords less than 9 characters.
Complacency is a security risk
Just as the Maginot Line was a “high wall” that the Nazis simply went around, being protected by a high wall may simply inform an attacker to not to bother a frontal assault, and instead know where to avoid any attack. Going around the defences becomes easier when they know what the defences are – or even how to attack the defences.
I’ve heard of companies thinking that they are “safe” from hacking because they are a small, or obscure company. Who would want to hack us? The sad truth is that the most numerous hackers are mostly script kiddies or bots that automatically scan all available IP addresses to find sites that might have a vulnerability.