In Depth
Social Engineering: 5 Security Holes at the Office (Includes Video)
We poked around a secure building with social engineering expert Chris Nickerson and found several ways a criminal could get inside and access sensitive data
By Joan Goodchild, Senior Editor
June 08, 2009 — CSO —
If you think the biggest threat to your sensitive information lies in network security, think again. Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage. Take a look at your building's security. How easy is it to get inside?
We spent an afternoon with social engineering expert Chris Nickerson, founder of Lares, a security consultancy based in Colorado, to get an idea of some of the key vulnerabilities a criminal looks for in building security. Lares specializes in what Nickerson calls 'Red Team Testing,' a method that gauges risk in real environments. In other words, he and his team are hired to break into buildings and find out where the security gaps lie (Read Chris' first-hand account of how he does it in Anatomy of a Hack).
Our goal for the day was to choose a building at random and find ways a con artist might be able to get inside the facility and pretend to be an employee. Once someone is inside, posing as a legitimate worker, their potential to steal data, hack a network, or commit some other crime is high. Yet most offices, even the most secure, have holes, said Nickerson.
"One of the big problems with offices is you can get into them because, by design, you have to go to work," said Nickerson.
Of course, security needs will vary from building to building. And security and facility managers have to make their own individual determinations about what kind of safeguards they should put in place. But with Nickerson, we aimed to point out some of the things a social engineering criminal will look for when trying to get in some place they have no right to be (Check out the video for Chris' walk-through of the building).
First Impressions
We headed to a building near CSO headquarters to see what we could find. We chose the building from one of several options in the area that we knew had a secured entrance and that required identification to get inside. Immediately upon walking onto the property, Nickerson pointed out that the first vulnerability is lack of external camera coverage.
social engineering
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
