June 15, 2009, 9:59 AM — Chris Nickerson is willing to push it about as far as a person can go when it comes to security assessments. The founder of Lares, a security consultancy in Colorado, Nickerson conducts what he calls "Red Team Assessments" for clients. (See: Red Team, Blue Team.) He is paid to try and dupe a client, and the client's employees, to give them a clear picture of the weak spots in their security plan. He then advises them on how to shore up defenses more effectively in the event a real criminal comes knocking.
In his line of work, Nickerson has to play the part of the criminal to its maximum potential (See: Anatomy of a Hack). When I say he is willing to push it as far as it can go in the interest of finding security holes, I mean he is even willing to be arrested and taken to jail. Nickerson said in a worse case scenario, if he is caught and arrested, even then he will not give up on his assessment. He tells police he is conducting the assessment for a client and gives them a fake number where they can call to verify he is telling the truth. On the other end, a member of his team, who poses as the client, will vouch for Nickerson.
If the cops buy it, Nickerson continues his work. Only as a very, very last resort will Nickerson have law officials call the actual client to get him off the hook in the event he has been caught. So far, that hasn't been necessary.
CSO got to experience Nickerson's ease at dealing with people in an assessment when we looked around one of the buildings in our area (Check out the video of his assessment). Nickerson pointed out areas of weakness for us that a criminal might look for when sizing up a facilities potential for breach. (See our walkthrough of the facility grounds and the list of problems in 5 Security Holes at the Office.)
Through a Social Engineers Eyes
Social Engineering expert Chris Nickerson reveals what criminals are looking for when it comes vulnerabilities in building security.
This player will be used for any in-article video treatment. This is a single video player.
"Normally when you are walking around a facility, someone should be stopping you," he noted "They should be questioning why you are cruising around the dirt of their building."
And they did. The staff at the building we examined does get credit for being observant. While Nickerson said none of the interrogation we dealt with during our time there would have deterred him in the slightest from getting his job done, we weren't completely unnoticed. The facilities manager did come out and ask us what we were doing.
This happened about fifteen minutes into our assessment. One of the first things Nickerson did was point out was how the building's generator was both uncaged and unlocked. He even went up to the generator and opened up the doors. About ten minutes later, we were approached by a man who introduced himself as the facilities manager.
"Hi, how are you doing?" Nickerson said casually as he walked up to the approaching man.
"I understand you were looking at the generator and opening the doors on it. I got a security call," the facilities manager said, clearly concerned.
"Actually we are doing a security assessment and pointing out things around the building," said Nickerson.
"OK, and who do you work for?" the man asked.
Nickerson said we worked for CSO and the manager seemed satisfied with that answer.
"Alright, very good," he said as he left us to continue our assessment.
" I have absolutely no credentials on me that verify that," noted Nickerson. "So we were just allowed to go fully access the building, poke at stuff, and now we have a point of verification that is trust. Now we can go in and be even worse with the camera because we already have a pre-verified point and we know security has been called on us for opening generators. They are now actually going to help us into the building knowing full well what we are doing, even though they have no reason to believe us."
Nickerson said during his team's assessments, questions from client staff come up all the time. This is a common occurrence for him and his skill at the fine art of BS is obvious.
"People are usually good about asking what you are doing," he said. "But once you give them a viable excuse, they let you go. As long as you do your intelligence right, you will never get caught. People don't like confrontation."
We spent about 20 minutes more continuing to photograph the building and poking around. The facilities manager checked back on us before we left and asked for more details of our project.
"I just want to be clear that people are watching and I am getting calls," the facilities manager told Nickerson.
However, at that point, we had already collected enough information about the building to make any criminal's mouth water.
As we were heading out, we saw the manager on the generator, taking stock of its unlocked state.
"Hey you know what? I think we've already secured the building," Nickerson laughed. "See? Security assessments change facilities."