Sales People
Sales people are truly every where. Indeed it can be said that everyone is a salesman. The purpose for a sales person is to usually to have you buy a product or service.
Pretexting
Sales People often use pretexting to gain information about your company. In fact, it’s common for them to do competitive research to find correct price points, or what competitors are doing. For a professional pen tester this makes a for a good pretext. For example, by posing as a sales person offering security cameras, you can ask questions about current systems, thereby gaining valuable information. This role can be played like many of the other impersonation roles. You play a part and take advantage of a need.
Elicitation
Sales people are very good about elicitation. Good sales people earn a living by quickly finding out if they have what you are looking for. Sales people ask leading questions to persuade you to buy what they have. It is common for sales people to listen to your wants and address the good points about their product or service that matches your needs. They use this technique to get a better understanding of what a customer may have or what they do not have. If you are in the market for certain items this could be an especially dangerous interchange especially when your are talking about security items such as home security systems, auto security systems, or computer/network security systems.
Passive Information Gathering
Sales people have other methods for gathering information about potential customers that involve aspects of Social Engineering. They engage in forms of passive information gathering techniques such as, looking at potential customer websites, performing Google searches on sales people, or looking at local news papers or press releases. This is a great way for them to find a target market for their products, or to to meet a potential customer’s needs. Some major companies will solicit for sales of products or services through a Request for Proposal (RFP). RFP’s can provide very specific information about a service or product that they need. These are very useful things and can even help sales people possibly frame a new service or find out what competitors are doing in their field. However, this process can reveal sensitive information about the company putting out the RFP.
Privileged Access
Sales people or even sales engineers are given unusual access to sensitive areas while performing pre-sales work or network evaluations. They need to set things up for presentations or other “work” that needs to be done to accomplish their tasks. While some smaller companies may have a more difficult time with this, the strategy is the same. Once the sales person has gained entry to the building on officially sound business, they are granted access to inside resources enabling them to carry on further information gathering.
Protecting Yourself
Sales people can be aggressive and persistent with their questioning. “Don’t take no for an answer” is sometimes their motto. Most sales people are not malicious but you can never be too careful when you are dealing with sensitive topics. To protect yourself from some questionable tactics, your should follow a few simple rules.
- Never disclose sensitive information about yourself or your company to sales people.
- Do your homework on what you are really looking for and write down specific questions that you have for the sales person. You control the conversation.
- If you are a company providing a Request for Proposal, have a non-disclosure agreement signed by prospective companies prior to giving out information about your project