In Depth

Social Engineering: Anatomy of a Hack

How a social engineering expert gained access to extremely sensitive information with little more than a thrift-shop shirt, a plate of cookies and a Linksys box

By Joan Goodchild, Senior Editor

February 04, 2009CSO

As the founder of Lares, a Colorado-based security consultancy, social-engineering expert Chris Nickerson is often asked by clients to conduct penetration testing of their on-sight security. Nickerson leads a team which conducts security risk assessments in a method he refers to as Red Team Testing. Watch Nickerson and his team pull off a diamond heist in this video.

Nickerson and crew recently took on such an exercise for a client he describes as "a retail company with a large call center." With some prep work, Nickerson says the team was able gain access to the company's network and database quite easily. Read on to find out how they did it, and what lessons you can take away for shoring up your organization's defenses. (To learn more about social engineering techniques, also see Social Engineering: Eight Common Tactics.)

Chris Nickerson: On-site security vulnerability testing requires the most memory and intelligence gathering because you need to start off by gaining information on your target. When I'm doing my information gathering, I like to find holiday or time-relative events. In this particular exercise, there was a large horserace going on in the area. In the town where the company was located, it was the big thing to go to this horse race. Everyone in the city and around it geared up and left the office to go to it. That was a perfect time for me to come in and say I have an appointment.

I said I had to meet with someone we'll call Nancy. I knew Nancy wasn't going to be in the office because on her MySpace profile it said she was getting ready to go to the race. Then her Twitter profile said she was getting dressed to go to the event. So I knew she wasn't in the office.

Before I went to the office, I went to a thrift shop and got a Cisco shirt for $4. Then I went in and said "Hi. I'm the new rep from Cisco. I'm here to see Nancy." The front desk attendant in this situation said "She's not at her desk."

I said "Yeah. I know. I've been texting back and forth with her. She told me she is in a meeting and the meeting is going over."

This was right around lunch time and I said "Since I'm waiting, is there anywhere around here where I can go get some food?" I knew full well that after surveying the area the closest thing was about five miles away because they were sort of out in the sticks.

Gartner Video: Best Practices for Web Application Security and Compliance

Cenzic Faced with the growing threat of hacker attacks, how do you protect your data and your corporate reputation while increasing revenue?

» View this Webcast

Jump Start Application Security Initiatives with SaaS

Hewlett-Packard Join this panel of application security experts to learn specific strategies and techniques for jump starting your application security initiatives with very few security experts, tight timelines, and tight security budgets.

» View this Webcast

Featured Sponsors