Fishing for Sensitive Info

Let's play a game. It's like Truth-or-Dare, or Never-Have-I-Ever, but with your company's info rather than what you did during Spring Break. The idea is to... maybe... politely not tell people proprietary information, but not be an accusatory jerk... maybe... about it (even if you know damned well that the person interrogating you is asking for info they aren't really entitled to). Bonus points for figuring out what they'll do with that info.

Innocent-sounding questions from people you don't know are often someone performing reconnaissance on your company for... reasons.

"Hey, I want to sell you an infosec product. What SIEM are you using?"

1. "None of your business. Slag off."
2. "Oh, sure, we're using OSSEC!"
3. "Oh, sure, we're using OSSEC!" but you're not, you sneaky sneak-person you
4. "I'd be happy to discuss that once you demonstrate need-to-know and sign this mutual NDA."

"Can I have a copy of your SOC2 report?"

1. "Fuhgeddaboudit."
2. "Sure, here's a URL. It's in our public-facing Compliance page."
3. "Sure, here's a URL." but it redirects to your favorite link
4. "I'd be happy to discuss that once you demonstrate need-to-know and sign this mutual NDA."

"Who are your investors?"

1. "Your mom, her husband, and your dad."
2. "That info should be in EDGAR."
3. "That info should be in EDGAR." but it's not and you've just sent them on a wild goose-chase
4. "I'd be happy to discuss that once you demonstrate need-to-know and sign this mutual NDA."

"Can you give me your CEO's name, email and phone number?"

1. "I'm Spartacus!."
2. "Nope."
3. "I'm the CEO." but you're not. Unless you are. And how did they get your number?
4. "I'd be happy to discuss that once you demonstrate need-to-know and sign this mutual NDA."

"Who are your customers?"

1. "Cold-calling telemarketers and industrial spies."
2. "We have a customer success story page and case studies on our website."
3. "We... don't have any, actually." but you do, and they write big phat checks
4. ""I'd be happy to discuss that once you demonstrate need-to-know, with the permission of our customers, and sign this mutual NDA."

"What cool new technologies are in your patent pipeline?"

1. "Dare!"
2. "We have a Products page on our website with a roadmap."
3. "Solar-powered cold fusion reactors." but you're actually developing next-gen SOAR
4. "I'd be happy to discuss that once you demonstrate need-to-know and sign this mutual NDA."

"What will your sales be this quarter?"

1. "Sales? Ha! I wish!"
2. "Check out our prospectus, it's on the investors' section of our website."
3. "One... million... dollars." said with pinkie in the corner of your mouth
4. "I'd be happy to discuss that once you demonstrate need-to-know and sign this mutual NDA... actually, no. Not even then. The S.E.C. has laws about that."

If you're detecting a theme here, you win! Keep your proprietary information secret, sharing only with people who have a good reason to know and under circumstances in which you have legal protection (like that NDA). Or, to paraphrase: "Anything you say can and will be used against you in the marketplace."

In all seriousness, innocent-sounding questions from people you don't know are often someone performing reconnaissance on your company for... reasons. All of the above questions are things that in most cases aren't public information (and are actually protected by law in most jurisdictions) unless and until the company's officers have made the decision to go public with that info. And unless you're authorized by your company to actually sign an NDA yourself, it's a bad idea to make the decision about whether an NDA is required if there's any doubt at all.

And on a side note... you have no idea how hard it was to limit the answers to something that wouldn't get me in trouble with H.R. Have some hashtags instead. #infosecurity #tradesecrets #industrialespionage #socialengineering #confidentiality