Honing Security Skills Outside Of The Workplace

Here at the Sundance Film Festival, I've noticed varying levels of credentialed people. Some work for Sundance directly; others are volunteers. Some are folks who dropped down a couple thousand dollars for a ticket package that includes an extra level of access the public doesn't have. And, of course, we can't forget the cast and crew of the films. In the four years I've been attending, you can count me as part of the rest of the bunch, the public, which gives me the opportunity to hone my social engineering skills.In past years, I've made it into numerous private parties and areas off-limits to the public simply because I made it look like I belonged and learned the patterns of the bouncers to find their blind spots. The former has worked the best for me so far this week. The night I arrived, I was able to make my way into a staging area for a large L'Oreal party where Andy McDowell was making an appearance. Tuesday, I made it into a publicity room where Liam Neeson and John Krasinski (Jim in "The Office") were holding back-to-back interviews. Wednesday night, I met Christopher Meloni from "Law & Order: Special Victims Unit" and was able to see a special screening of his film by walking with him into the theater as if I were his guest.

Learning the patterns of the bouncers monitoring these areas is my fallback when I can't simply walk in. In several of the venues, I've found that security focuses on the most obvious access points, but forgets about back doors, stairwells, and other seemingly inaccessible areas. For the L'Oreal party, for example, I walked around to the back of the tent and inserted myself into the mix. In previous years, I've entered the same area through a stairwell coming from the parking garage, and the bouncers were none the wiser.

Though I am certainly on vacation and looking forward to the rest of the movies on my schedule, it's hard not to find myself employing some of the same techniques that I do in my day job. We all know social engineering works, but learning how to do it effectively can be the determining factor of a pentest's success. Same goes for physical security and learning patterns of the staff, such as security personnel.

It's time for me to head to another movie, but I want to leave you with this challenge: See how you can employ social engineering and similar techniques when you're not at work. It will give you the opportunity to practice methods so you'll have them down pat when it comes time to do them on an important job assignment.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.