| Chris Nickerson is your worst nightmare. He's the guy you never see coming, the one who can slip into your data center, install malware on any server he chooses and ease out without so much as a shadow on your security cameras. Nickerson, CEO of Lares Consulting and part of the Tiger Team television series on TruTV, talks about the fun of penetration tests and the risks of outsourcing.
You get paid to break into companies' buildings and networks. Why is that level of assessment necessary?
Everywhere I've worked where I've owned the security program, the biggest problem I've had is getting funding to do security the right way. I've found that the more you showed someone and proved what you could do, they have a total psychosomatic reaction to it. When I can hold their passwords in front of them and I can show them a picture of me in their data center at 2 a.m. when there is nothing on their security cameras, it does the job.
How did the Tiger Team TV show come about?
I have some friends in the movie business who have technical backgrounds, and after about three or four Defcons worth of telling stories and showing them pictures of me standing on top of missiles or holding anthrax, they said it would be cool to follow me on a job.
With so much code written overseas, how real is the threat of industrial espionage?
It is extremely real; in the software industry it's a major problem. I know people and I've been on incident response teams where you end up finding out that the janitor stole the source code. Some companies hire hacking teams to break into competitors and steal designs. Look at things like social entrapment. People go after help desk engineers, build a relationship and then start paying them for useless information. Then they start relying on that money and pretty soon I can make them give me things they aren't supposed to. I've rooted your company and sold that intelligence for a hundred times what I paid for it. It's a beautiful form of hacking.
What are the biggest mistakes you see companies making?
Being aware of your business is something I thought was fairly normal, but most of the clients I deal with are shocked by how I look at it.
Going through and deciding what's most critical to stay alive and building your security program off of that is the key, instead of just being PCI compliant. You might be compliant, but if your system is compromised, you're going home without a paycheck. People err on the side of compliance versus security.
Read the full interview with Chris Nickerson, at searchsecurity.com.