Social engineering: Anatomy of a hack
Security consultant details how his crew gained access to a client's entire network and database all too easily -- and why IT should think of the office more like they do their homes
Follow @infoworldAs the founder of Lares, a Colorado-based security consultancy, social-engineering expert Chris Nickerson is often asked by clients to conduct penetration testing of their on-site security. Nickerson leads a team which conducts security risk assessments in a method he refers to as Red Team Testing. Watch Nickerson and his team pull off a $24,000 heist in this video.
Nickerson and crew recently took on such an exercise for a client he describes as "a retail company with a large call center." With some prep work, Nickerson says the team was able gain access to the company's network and database quite easily. Read on to find out how they did it and what lessons you can take away for shoring up your organization's defenses.
[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]
Chris Nickerson: On-site security vulnerability testing requires the most memory and intelligence gathering because you need to start off by gaining information on your target. When I'm doing my information gathering, I like to find holiday or time-relative events. In this particular exercise, there was a large horserace going on in the area. In the town where the company was located, it was the big thing to go to this horse race. Everyone in the city and around it geared up and left the office to go to it. That was a perfect time for me to come in and say I have an appointment.
I said I had to meet with someone we'll call Nancy. I knew Nancy wasn't going to be in the office because on her MySpace profile it said she was getting ready to go to the race. Then her Twitter profile said she was getting dressed to go to the event. So I knew she wasn't in the office.
Before I went to the office, I went to a thrift shop and got a Cisco shirt for $4. Then I went in and said, "Hi. I'm the new rep from Cisco. I'm here to see Nancy." The front desk attendant in this situation said, "She's not at her desk."
I said, "Yeah. I know. I've been texting back and forth with her. She told me she is in a meeting and the meeting is going over."
This was right around lunch time and I said, "Since I'm waiting, is there anywhere around here where I can go get some food?" I knew full well that after surveying the area the closest thing was about five miles away because they were sort of out in the sticks.
The receptionist said, "Four or fives miles down the road there is a McDonalds. But we have a nice cafeteria here. If you want, you can just eat in there."
Being allowed to go to the cafeteria gave me full access to the facility because the only thing that was guarded was the door. The cafeteria lead right into the rest of the building.
