Social Engineering: 5 Security Holes at the Office (Includes Video)
We poked around a secure building with social engineering expert Chris Nickerson and found several ways a criminal could get inside and access sensitive data
By Joan Goodchild , Senior Editor
June 08, 2009 — CSO —
If you think the biggest threat to your sensitive information lies in network security, think again. Once a criminal is inside a building, there are limitless possibilities to what that person can access or damage. Take a look at your building's security. How easy is it to get inside?
We spent an afternoon with social engineering expert Chris Nickerson, founder of Lares, a security consultancy based in Colorado, to get an idea of some of the key vulnerabilities a criminal looks for in building security. Lares specializes in what Nickerson calls 'Red Team Testing,' a method that gauges risk in real environments. In other words, he and his team are hired to break into buildings and find out where the security gaps lie (Read Chris' first-hand account of how he does it in Anatomy of a Hack).
Our goal for the day was to choose a building at random and find ways a con artist might be able to get inside the facility and pretend to be an employee. Once someone is inside, posing as a legitimate worker, their potential to steal data, hack a network, or commit some other crime is high. Yet most offices, even the most secure, have holes, said Nickerson.
"One of the big problems with offices is you can get into them because, by design, you have to go to work," said Nickerson.
Of course, security needs will vary from building to building. And security and facility managers have to make their own individual determinations about what kind of safeguards they should put in place. But with Nickerson, we aimed to point out some of the things a social engineering criminal will look for when trying to get in some place they have no right to be (Check out the video for Chris' walk-through of the building).
We headed to a building near CSO headquarters to see what we could find. We chose the building from one of several options in the area that we knew had a secured entrance and that required identification to get inside. Immediately upon walking onto the property, Nickerson pointed out that the first vulnerability is lack of external camera coverage.
"I could be lurker-stalker guy and hang out in woods, beat someone's badge out of them or steal something," he said "Or set up cameras to profile the facility and there are all sorts of really nifty places to hide in."