Jim Stickley got his first computer at age 12, and he was chatting with other computer "nerds" on bulletin board sites by the time he was 16. A wannabe hacker, Stickley said his first foray into playing the system was with free codes - codes that would exclude his phone and computer time from racking up charges that would incur the wrath of his parents.
"I started learning the phone systems early. I ended up getting my hands on a lot of old PacBell manuals and I figured out how systems work," said Stickley, now the CTO of TraceSecurity, a security consultancy based in both Louisiana and California.
As an adult, Stickley channeled his computer and hacking passions into a legitimate career in network security, but soon realized that hardware and software were only part of the security equation.
[Read about the latest scams in 5 more dirty tricks: Social engineers' latest pick-up lines
"When I was spending time testing the network for companies, I would see all these people come and go. You'd see the water delivery guy, or someone else, just come and wander around," he recalled. "It dawned on me I could probably just walk in and steal all the data that they were paying me to secure on the network."
So when Stickley founded Trace Security, he decided to place an emphasis on securing the network and testing the security of the people around it, too. It was a tough sell when the company first launched.
"Ten years ago it was a whole different world. When we first started talking to people about social engineering, it was like selling ice to Eskimos. No one wanted it. No one cared. No one understood the value in it."
But now, organizations, specifically financial institutions, who want to assess risk understand the importance of the human element of security. Stickley and his team regularly conduct "social engineering engagements" where he physically robs banks and "steals" potentially vulnerable items and information. (Read a detailed account of one of Stickley's engagements in How to rob a bank)
Stickley, who says robbing banks is "amazingly easy," explains how he does it, and why he never gets caught.
CSO: How often do you "rob banks" as a social engineering experiment for clients?
Stickley: Personally, I've done over 1,000 locations without getting caught. They run the gamut from very small community banks with just two branches to very large financial institutions; we're talking about several billion in assets in terms of the size.
But regardless of size, all engagements run very similar. You may think "they have more money, they MUST be more sophisticated." But they're not when it comes to social engineering. When you are talking about networks and that sort of thing, absolutely. When you have a lot more money, you have a lot cooler toys. But that doesn't seem to be the case when we're talking about social engineering.
"If you can walk out of a bank carrying a big server, there is something really amusing about that."
Jim Stickley, TraceSecurity
You can do training. You could have strong policy. Beyond that there's not much you can do. You could have guards, but that still comes down to training and policy, because we've gotten into facilities with guards and without guards. It really doesn't make a difference.
Where do you start on a social engineering engagement?
They all come down to trying to figure out what is the avenue to get us into the facility. What I find makes it easier is the larger the bank is, the more locations, the easier it is for me to get in - because the employees are not going to know as many people and they're not to be talking to as many people directly. So, it gives me a lot more room. In one-or-two-branch operations, odds are they know everyone and are talking to everyone. Those are actually, in my opinion, more difficult.
If I'm going to rob a financial institution, often they say they want us to steal their backup tapes, which is often a major target because about 70 percent of financial institutions don't encrypt their backup tapes. That's a huge number. A lot of times they will want us to simply mark them and prove we could have stolen them. In those instances, we have stickers that we take in and mark anything we could have stolen.
Also, we have cameras in our pockets that can photograph everything we do. Afterwards if there is any doubt, we have it all recorded. When you're dealing with sensitive information, you have to have a very solid record of everything you've done.
What premise do you use to get into the banks you are robbing?
If you want to get in the facility, the first thing I do is figure out is what is the ruse I'm going to use. There are a few that work really, really well. My favorite is fire inspector.
Now, the problem with being a fire inspector is you have to jump through a lot of legal loopholes. You can't impersonate a federal officer. You can go to jail for that. So we have to contact the local fire department and police department and get permission and get them to understand what we're going onto private property.
We have to go through a lot of pre-work to do the fire inspector thing. So I'll use that on larger facilities, where I feel I may have the hardest time getting in. If I feel like I'm getting nowhere with other avenues and the people are paranoid and suspicious, then I go with the fire inspector routine.
The reason I go in as a fire inspector is that no one can deny a fire inspector going into your building. You have to let them in. I have my badges. We have badges for every state in the United States. They are real badges I had made. I used to go to the city level and have the badge made per city. But what I found is most people don't look, they just look at the bling. People just see the badge and that you're in a uniform and they're good. They're not questioning anything past that.
The point is: Anybody can put on a uniform and do this sort of thing. This can happen and you want to have these organizations understand what they can do to handle it properly. You want to make sure people are educated and understand what the laws are, what they should do, what they should not do. You're not telling anyone they should deny the fire inspector from coming onto the property. Clearly they need to come in. But there are things employees need to be doing, like escorting them the entire time. Make sure employees understand what the inspector is looking at, making sure they understand what they're taking and not taking. These are all things they can do to ensure the fire inspector does their job, but the employee is doing their job as well.
Once you're in as a fire inspector, what do you do next?
Once we show up as a fire inspector with the uniform on and say we're going to do an inspection, our goal is to get the person walking around with us to leave us alone. We don't want them to stay with us, because if they do, we can't steal anything. If they're watching us it makes it very difficult. But if they walk away, let us start walking aimlessly on our own, then I steal everything that's not nailed down.
I go in with a bag. I don't know what they assume is in this bag, but no one ever asks me what's in there. It's always empty when I get there and my goal is to have that bag stuffed full of things by the time I leave that facility.
What do you steal?
I'll steal anything. I'll steal people's cell phones if they leave them on their desk. I'll still any document that looks like it has confidential information on it. Obviously, I'm going for those backup tapes or any disc that is lying around; anything that looks like it could be of any value to me in some way, I'll steal.
Another thing I will do is this: In my little bag, I have a wireless device. And my goal is to be able to put my wireless device in the place where they have their drop for all their network equipment. I plug my wireless device in there and now I'm on their internal network. I can go back out my van and connect to my wireless device and bypass the firewall internal, any external IDS they have, and spend the rest of the day on there, hacking away at everything else and doing additional attacks.
If the day has gone really well and I start getting kind of punchy, that's when I go for really large items. That's what I try to carry out servers or big equipment. That's always more entertaining because if you walk out with a big server, there is something really amusing about that. Just so we're clear, any time we have an engagement where we steal anything, the client must have an employee that escorts us, and they wait in the car. So we have very little time when we're actually in control of the items that we steal. We want the chain of custody to be very short with us. When we walk out with the stuff to the employee in the car, they are often very shocked because it often seems so unimaginable that you could carry a server off unnoticed.
So even though you're an ethical professional bank robber you're not actually stealing money?
Oh God, no. Money is so 1990s. It's so outdated now. Think about it: if you want to steal $1 million, you but I have a pretty big bag or a forklift. It's just impossible to steal any real cash. The only people that actually steal cash out of a bank with a bag now are crackheads. Anyone who knows what's going on, any real criminal, knows all the money is in digital now.
What do clients say when you manage to pull this stuff off?
Most people hedge their bets when we meet them ahead of time and say they think they're doing pretty good. I think they know it's so hard to stop everything. So, sometimes they're shocked, especially if it's an engagement where we've managed to run off with a lot of stuff.
But most of the time, they handle it well, because that's where they've hired us for - they want to find out where they've got problems and how they can address it. They'd rather have us doing it then have it happen for real and end up in the media.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.