White-Hot Hack (Kate and Ian #2)(22)

She was sitting in the chair with her feet on the ottoman, flipping through one of the binders when Ian appeared in the doorway.

He sat down on the ottoman and put her feet in his lap. “Ready?”

She handed him the binder. “Hit me.”

“Office building, badge access only, receptionist.”

“I’ll say I’m there for an interview.”

“What’s your attack vector?”

“USB-delivered payload.”

“How are you going to do it?”

“I’ll spill my coffee on my résumé or claim I’ve forgotten it. Then I’ll ask them to print me a copy.”

“How will you build rapport?”

“I’ll look for common ground, a vacation photo or a picture of a child on the desk. I’ll say how much I enjoyed that particular location when I visited last year, or I’ll mention how cute the child is.”

“What if the child isn’t cute?”

“Ordinarily I’d argue that all children are cute, but Chad looked pretty goofy until he was about five, so I know that’s not one hundred percent true and people will question my motives if they think I’m not being authentic. So if the child isn’t cute, I’ll find an individual characteristic that is. Chad, for example, had adorable dimples.”

“What if it’s a picture of a dog and not a baby?”

“I’ll tell them about Scooter and how I rescued him from the pound after he was dumped along the side of the road along with three of his siblings. He was in such bad shape, but he’s four now and thriving.”

Ian sat up a little straighter and looked at her curiously. “Cat.”

“My Fluffy recently had a litter of kittens right underneath my bed. It was truly amazing, and I’m so glad I got to experience it.”

“What if it’s one of those hairless cats?”

She didn’t miss a beat. “Technically they’re called sphynxes, and they’re not totally hairless. They’re also very friendly. Mine greets me at the door every day when I get home from work. It’s so rare that I connect with other sphynx owners.”

“I’m amazed at how quickly you think on your feet, which is a very important and valuable skill for a social engineer to have. Did you actually research hairless cats?”

“I researched every kind of pet anyone might possibly have a picture of on their desk. You could have asked me about fish, hamsters, guinea pigs, or snakes. I’d have nailed it.”

“But what if there are no pictures of children or pets?”

“Then I’ll look for a knickknack, postcard, logo on a coffee cup. Anything that will give me a jumping-off point.”

“What if you fail in your attempts to deliver a payload to the gatekeeper?”

“Then I’ll have to tailgate my way into the building. Once I’m inside, I’ll have several options for collecting information, like shoulder-surfing or impersonating an employee.” The clients who hired Ian would expect his firm to make repeated attempts to penetrate their networks from several different angles. The practice, known as red-teaming, would allow Ian to analyze the vulnerabilities they discovered, which he would then share with the client in order to assist them in tightening their security.

“What if you get caught?”

Not getting caught was the primary goal of any social engineer, and the more outrageous the intrusion, the bigger the bragging rights. No one wanted to get caught, but playing it safe wouldn’t show a company the holes in their security.

“I’m not going to get caught.”

“I admire your unwavering confidence, really I do. But let’s just say—hypothetically—that an overzealous employee is bored and decides to play ‘spot the social engineer.’ What do you do?”

“I give them my letter. Because I’ve failed.”

Before beginning any social engineering assignment, Kate and Ian would have in their possession a letter from the client stating that Diane and Will Smith had the legal right to be on the premises. It was standard operating procedure, and every white hat security firm insisted on it because it offered them protection from any employee who might become suspicious and attempt to stop them in their tracks or haul them off to security.

“Try to think of it as your get-out-of-jail-free card.”

“Have you ever had to use it?”

He gave her a look like surely you must be kidding. “No.”

“Of course you haven’t.”

“Aw, sweetness. I never knew you had such a competitive side.”

“Neither did I.”

He smiled and gave her back the binder. “I’m extremely impressed. You’ve got this down cold.”

“Thank you. There’s nothing in that binder I don’t know. You could quiz me for another half hour and I’d never miss a beat.”

“Ferret.”

She struggled to suppress a grin and he thought he’d finally succeeded in tripping her up, but she quickly composed herself. “These cuddly animals are so unfairly maligned. Only a fellow ferret owner understands how truly special they really are.”

“Who are you?” he asked, his own laughter finally overtaking him.

“Isn’t it obvious? I’m your new social engineer.”