In Depth
Social Engineering: 5 Security Holes at the Office (Includes Video)
We poked around a secure building with social engineering expert Chris Nickerson and found several ways a criminal could get inside and access sensitive data
By Joan Goodchild, Senior Editor
"I could be lurker-stalker guy and hang out in woods, beat someone's badge out of them or steal something," he said "Or set up cameras to profile the facility and there are all sorts of really nifty places to hide in."
Power Supply
The next place Nickerson headed was the building's generator. The generator on the property was not caged or protected externally in any way. Nickerson approached the generator and opened it with ease because it was unlocked. In addition to the obvious gap this leaves in a building's business continuity/disaster recovery plan, Nickerson also pointed out how the generator can be used in a social engineering scam.
"It is pretty obvious, now that we see a generator, that there is a data center inside. It's pretty easy to deduce that they have things that have to stay running," he said. "So if we cut the power here, you'll have full corporate denial of service. Everybody freaks out and then you walk in while everybody is freaking out and steal things."
(*Note: Snooping around the generator did catch the attention of the facilities manager at the building we were assessing. A few minutes after Nickerson opened the generator, the facilities manager came out and spoke to us. But according Nickerson, anticipating questions from authority is just part of any good social engineer's preparation. Read an accountant of how Nickerson handled our one-on-one confrontation, and how easy it was for him to get what he wanted in The Fine Art of BS, Face to Face).
Entryways
Our tour continued with a check of the back of the building, where Nickerson quickly spotted a smoking section. It was clear the area is used for smoking breaks because there was a standing ashtray filled with used cigarette butts. A common tactic for entering a secured building unseen is to hang out in the smoking area and wait to be let in by an unsuspecting employee.
"A social engineers best friend is a cigarette," said Nickerson.
A cigarette wasn't even necessary to get into the building at this facility. The back door was unlocked, unguarded and it was very easy to open it and walk into the building.
Parking Lots
We didn't go poking around the cars in the parking lot, but Nickerson said opening unlocked cars is part of his Red Team assessment, and also another common social engineering strategy.
"People always leave their cars unlocked and there are always badges and other stuff in there. It's a good place to get in and get all the credentials you need."
social engineering
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
