Social Engineering: the Fine Art of BS, Face to Face
Social Engineering expert Chris Nickerson reveals what criminals are looking for when it comes vulnerabilities in building security.
Mon, June 08, 2009
CSO — Chris Nickerson is willing to push it about as far as a person can go when it comes to security assessments. The founder of Lares, a security consultancy in Colorado, Nickerson conducts what he calls "Red Team Assessments" for clients. (See: Red Team, Blue Team.) He is paid to try and dupe a client, and the client's employees, to give them a clear picture of the weak spots in their security plan. He then advises them on how to shore up defenses more effectively in the event a real criminal comes knocking.
In his line of work, Nickerson has to play the part of the criminal to its maximum potential (See: Anatomy of a Hack). When I say he is willing to push it as far as it can go in the interest of finding security holes, I mean he is even willing to be arrested and taken to jail. Nickerson said in a worse case scenario, if he is caught and arrested, even then he will not give up on his assessment. He tells police he is conducting the assessment for a client and gives them a fake number where they can call to verify he is telling the truth. On the other end, a member of his team, who poses as the client, will vouch for Nickerson.
If the cops buy it, Nickerson continues his work. Only as a very, very last resort will Nickerson have law officials call the actual client to get him off the hook in the event he has been caught. So far, that hasn't been necessary.
CSO got to experience Nickerson's ease at dealing with people in an assessment when we looked around one of the buildings in our area (Check out the video of his assessment). Nickerson pointed out areas of weakness for us that a criminal might look for when sizing up a facilities potential for breach. (See our walkthrough of the facility grounds and the list of problems in 5 Security Holes at the Office.)
Through a Social Engineers Eyes
Social Engineering expert Chris Nickerson reveals what criminals are looking for when it comes vulnerabilities in building security.
This player will be used for any in-article video treatment. This is a single video player.
"Normally when you are walking around a facility, someone should be stopping you," he noted "They should be questioning why you are cruising around the dirt of their building."
And they did. The staff at the building we examined does get credit for being observant. While Nickerson said none of the interrogation we dealt with during our time there would have deterred him in the slightest from getting his job done, we weren't completely unnoticed. The facilities manager did come out and ask us what we were doing.
Lares
- Google Settles Buzz Privacy Lawsuit
- IBM Code Unfetters Virtual Workloads
- Disk Storage Still Bouncing Back, IDC Says
- Where Will Apple's A4 Chip Go Next?
- HP Buys 3Par, Apple Rolls Out New Gear
- Apple had Two Months to Fix Critical QuickTime Bug, Says Researcher
- 27-in. IMac 'the Center of My Digital Universe'
- The Future of Human-Computer Interaction
- What Security Can Learn From the $15M Sprint Employee Breach
