In Depth
Social Engineering: The Fine Art of BS, Face to Face (Includes Video)
A confrontation with a facilities manager demonstrates social engineers' complete comfort dealing with (and manipulating) conflict
By Joan Goodchild, Senior Editor
June 08, 2009 — CSO —
Chris Nickerson is willing to push it about as far as a person can go when it comes to security assessments. The founder of Lares, a security consultancy in Colorado, Nickerson conducts what he calls "Red Team Assessments" for clients. (See: Red Team, Blue Team.) He is paid to try and dupe a client, and the client's employees, to give them a clear picture of the weak spots in their security plan. He then advises them on how to shore up defenses more effectively in the event a real criminal comes knocking.
In his line of work, Nickerson has to play the part of the criminal to its maximum potential (See: Anatomy of a Hack). When I say he is willing to push it as far as it can go in the interest of finding security holes, I mean he is even willing to be arrested and taken to jail. Nickerson said in a worse case scenario, if he is caught and arrested, even then he will not give up on his assessment. He tells police he is conducting the assessment for a client and gives them a fake number where they can call to verify he is telling the truth. On the other end, a member of his team, who poses as the client, will vouch for Nickerson.
If the cops buy it, Nickerson continues his work. Only as a very, very last resort will Nickerson have law officials call the actual client to get him off the hook in the event he has been caught. So far, that hasn't been necessary.
CSO got to experience Nickerson's ease at dealing with people in an assessment when we looked around one of the buildings in our area (Check out the video of his assessment). Nickerson pointed out areas of weakness for us that a criminal might look for when sizing up a facilities potential for breach. (See our walkthrough of the facility grounds and the list of problems in 5 Security Holes at the Office.)
"Normally when you are walking around a facility, someone should be stopping you," he noted "They should be questioning why you are cruising around the dirt of their building."
social engineering
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- WagerWorks Takes Fraudsters Out of the Game Using iovation
- A Security Blueprint Delivered From within the Network
- Comparing Research In Motion and Microsoft Mobile Solutions
- The Total Economic Impact of Network Security Intrusion Prevention
- Protecting Your Intellectual Property White Paper
- Seven Technologies for Advanced Mail Protection
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
Digital ID World
-
September 14 - 16, 2009Rio Hotel and CasinoRegister Now »
Las Vegas, Nevada
(ISC)2 members can earn up to 24 CPE Credits!
Reference priority code ONLINE and attend the full conference for the reduced rate of $995!
