We all hear about social Engineering and as a Admin I get my share of sales calls, most are screened and dumped to the voice mail and no message is left the few that do get through have what I consider some rather social engineered questions. Here is my own true story about a year old I want to share.

I run an active firewall with a nice GUI interface where I can see color coded lines of all network traffic out going and from the outside arriving in. I sat one morning and all of the sudden noticed my red alert lines from a company attempting to access a port scan first from view the log and then very speciific known exploits, when all of the sudden the reception desk rings me and says so and so from the very company I was watching at the firewall calling me. So rather then have it dumped to my voice mail I took the call, cause I just wanted to see what all of this was about. Mind you very nice sounding woman on the other end and from memory here is what was said.

Caller: Hello Mr. (myname) I understand you are the contact person for your Networking needs. We provide IT consulting services to company's such as yours. May I ask if you run a firewall?

Me: Yes we do. (I want to play a game now).

Caller: What firewall software and hardware do you use?

Me: I do not answer questions about our network to people that call me. (Firewall activity from said company is still pecking away at the ports)

Caller: Ok let me ask you this how many servers and workstations do you have and what OS are you using?

Me: I'm sorry but like I said I do not answer these questions unless I am calling someone.

Caller: Please sir I am doing my job and I have to account for who I contact and the answers I have a blank call sheet. Can't you at least tell me how many servers you have.

Me: I'm sorry (her name) I do not like the direction of this conversation and you are providing me with just your company name. Thank You and I hung up.

My only questions are were:
1. Was this a penetration test by a potiential IT consultant to sell their services?
2. I did not ask for such testing, and had I provided any answers would they have broken something so they could fix it?
3. Any sales call should not have to depend upon my answer facts about my network.

My conclusion from this as it was a large IT company is that perhaps their system was not secure the sales call bogus and bogus users wanted to gain access to my network. Or maybe it was just the company with an incorrect sales pitch. What do you think?