Social Engineering: The Fine Art of BS, Face to Face

A confrontation with a facilities manager demonstrates social engineers' complete comfort dealing with (and manipulating) conflict

Chris Nickerson is willing to push it about as far as a person can go when it comes to security assessments. The founder of Lares, a security consultancy in Colorado, Nickerson conducts what he calls "Red Team Assessments" for clients. He is paid to try and dupe a client, and the client's employees, to give them a clear picture of the weak spots in their security plan. He then advises them on how to shore up defenses more effectively in the event a real criminal comes knocking.

In his line of work, Nickerson has to play the part of the criminal to its maximum potential. When I say he is willing to push it as far as it can go in the interest of finding security holes, I mean he is even willing to be arrested and taken to jail. Nickerson said in a worse case scenario, if he is caught and arrested, even then he will not give up on his assessment. He tells police he is conducting the assessment for a client and gives them a fake number where they can call to verify he is telling the truth. On the other end, a member of his team, who poses as the client, will vouch for Nickerson.

If the cops buy it, Nickerson continues his work. Only as a very, very last resort will Nickerson have law officials call the actual client to get him off the hook in the event he has been caught. So far, that hasn't been necessary.

CSO got to experience Nickerson's ease at dealing with people in an assessment when we looked around one of the buildings in our area (Check out the video of his assessment). Nickerson pointed out areas of weakness for us that a criminal might look for when sizing up a facilities potential for breach. (See our walkthrough of the facility grounds and the list of problems in 5 Security Holes at the Office.)

Through a Social Engineers Eyes

Social Engineering expert Chris Nickerson reveals what criminals are looking for when it comes vulnerabilities in building security.

This player will be used for any in-article video treatment. This is a single video player.

"Normally when you are walking around a facility, someone should be stopping you," he noted "They should be questioning why you are cruising around the dirt of their building."

And they did. The staff at the building we examined does get credit for being observant. While Nickerson said none of the interrogation we dealt with during our time there would have deterred him in the slightest from getting his job done, we weren't completely unnoticed. The facilities manager did come out and ask us what we were doing.

Join the CSO newsletter!

Error: Please check your email address.

Tags social engineering

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts