Dress for the Job You Want to Fake, Not the One You Have

Alright, excellent. Welcome everyone. Everyone in the back can hear me. Good. I'm generally pretty loud, fat and bald. I do all those things together. So, thank you for coming. I know right after lunch, you know, I got full belly. So what we're going to do is we're going to take a few minutes to talk about dressing for the job you want to fake, not the one you have. So first, what I must do is lead you in the holiest of penetration tests or prayers, the legal disclaimer. The content of this presentation represents my thoughts and opinions and not representative of my employer's past or current. The presentation also deals with matters of penetration testing. Consult

legal counsel before engaging in penetration testing activities. Seriously, I mean it. Don't come back and say the fat bald guy told you you could do it. Talk to somebody. The presenter takes no liability. That's me, this guy. No liability. for any injury or damages resulting in the use of this information discussed during the presentation. So again, we're gonna be talking about sneaking into buildings. This is not a joking matter. So definitely things can happen. We're gonna talk about how to avoid some of those things and we'll go from there. So this is me. Again, if you can get a professional photographer, if your wife happens to be a writer and they'll throw you like their

photo session, do it. They can kind of make you look like a human. It's excellent. It's definitely worth the money. But again, my name is Ian Meyer. I'm an information security professional practicing in Central Florida for Fortune 500 companies. My practice areas are FERPA, HIPAA high tech, PCI. I'm also a course director at Full Sail University. I teach information security, intro to information security 101. And next quarter, I think we're starting a systems and data security class. I don't know if I'll be teaching that yet or not. I have a BS in information security systems and AS in computer network systems. I promised my instructor at Seminole State that I'd never touch a network ever again if he'd pass me for this class. So I

have a technical certificate in Cisco networking as well. Technical focus areas, I do intrusion detection prevention systems, information security program management, security awareness, and of course penetration testing. Last of the certificates there, I've got a CISSP. That's my big one. That's the one I keep for jobs and whatnot. With that said, if you want to contact me, I'll have info at the end as well, but ian at ianmeyer.com, Twitter at ianmeyer. Incredibly difficult to find on the internet. I obfuscate my name very well. So, what are we going to talk about? We're going to talk about why physical access controls are critical. Because really what we're talking about is sneaking into buildings, right? We're dressing for the job we want to fake. But who cares, right?

We need to know why this is so important. Why do you need to make sure that you can sneak into a building? And moreover, why do you need to protect against someone sneaking into your building? So we're going to talk about why that's important. We're going to talk about tales of physical access gone wrong. We're going to tell a couple stories about that to get an idea of what you're up against, what you need to do, what you need to avoid. We're going to talk about uniforms, attire, and details that will give you away as an imposter. This is really the root of this talk. My wife actually kind of made fun of me this

morning. I put on a new pair of pants, and she's like, those are like casual pants, and that's kind of a dressier shirt. And I'm like, you're talking about my talk. You've got... Detail that you've noticed that said why these two things don't really go together. What's wrong? So it's really what we're talking about here today We're talking about putting something together that will help you avoid those little details that will set somebody off We're talking about para language which is kind of the art of the unspoken when you're speaking It's the ums. It's the hesitation. It's the pauses We're talking about body language as you can see I like to pace when I talk I like to move my hands that kind of thing, but we're gonna talk

about body language. We're gonna talk about the getaway. What happens when you're about to get pinched? How do you get out? How do you keep away from actually getting caught? And of course we're gonna talk about preventing interlopers. Anytime I talk about penetration testing, I want to give the blue teamers a chance to say, hey listen, this is how you do it on the red team, how do we stop it on the blue team? So physical access. If you can touch it, you can own it. I think that's pretty much common wisdom, right? If you can get a hold of it, you can own it. You can take it apart. There was a great talk yesterday on some SCADA controllers. They got a hold of it, they can

own it, right? So what are some of the things that you can do when you own a device, right? Console access. There's an implicit level of trust in being able to touch the device. There's some scripts you can't run unless you're physically connected to the keyboard, video, and monitor, right? So if you can walk up to that firewall and connect to it, you're going to have a better chance of penetrating that device. If you can walk up to a server and connect a USB drive to it, you're going to have a better chance of pulling data off that device. So that console access has an implicit level of trust. Who here works with Cisco devices? Anybody? A couple hands. You forget a password on a router, what do

you got to do? You got to connect to it, right? You actually got a console to it, you got to reset it, et cetera. Somebody can get access to that thing. It's a published standard. This is how you connect with the rollover cable. This is how you reset the password. If you need to get just onto a network and dump those config files and get out, yeah, absolutely. How many of your people work with servers? Show of hands. Yeah, okay. Second question for this. How many of you have encrypted hard drives on your servers in your data center? There are zero hands. How many of you have laptops that are encrypted through work? Lots more hands, right? So I get physically into the building and I can get

a hold of data. I'm not worried about encryption anymore. I mean, there's questions about RAID and whatnot. You can't just pull a drive because it's striped and that. But still, not encrypted. Brute force attempts also become easier. Again, that goes back to the console video monitor piece. Locked laptops. I skipped over one. But locked laptops. I'm doing a show of hands again. You guys have laptops. I'm just showing hands. This is what I'm doing back here. So show of hands again. How many of you, when you go into your office, cable lock your laptop to your desk? Well, I know you do. Right. So yeah, a couple hands. How many don't? You go in and you're like, okay, yeah, a couple more hands. Yeah. So what, 50-50 there,

right? There are plenty of attacks that have nothing to do with information security where people will just walk into buildings like, yeah, I'm here to clean and that's a great laptop and that's a great laptop and that's a great laptop and they walk out. Well, if those drives aren't encrypted and they've walked out with them, they might be targeting the computer to resell it, but your data's already gone. If you're part of the healthcare industry and that's got HIPAA data on it, you've got to disclose. You've got to call the media. You've got to put out a press release. And that's just because somebody walked in your building, tailgated, grabbed a laptop, and gone. They had no intention of stealing any information. But you're still stuck with that problem.

So the one that skipped clean desk policies kind of goes back to that. I'm bad about this, to be honest. And I know it. Like, I might get up to get coffee or something. I've got something written down, some configuration information or something like that. I'm going to shred it later. But it's exposed on the desk for at least a brief period of time. So you get in there. You start seeing that information. You might be able to get something out of the company. This one I included because it's kind of on my mind right now. Obviously the Apple FBI case is going on. One of the things that I've heard about this case that

kind of ties into the physical access is people say, oh, it's encrypted. We need the back door. We need the back door. Whatever your opinions on it are, the NAND chip on there, there's been people saying, you know what? You just desolder it, clone it, do your 10 brute forces, put the new one in, and keep going. It is not impossible. It's just difficult. But if you're the FBI and you're the government and you have physical access to that vice, you don't need the back door. You've got physical access. So,

access gone wrong. Now we're going to talk about this, can I help you? This is the most terrifying phrase when you're sneaking around a building, right? Someone comes up and says, can I help you? Crap. No? So, we want to talk about permission. Right? The first thing you need to do, and you've heard this in a couple talks already, you need to get permission. You need your get out of jail letter. You need to have that in your bag. Because if someone comes and stops you, and your social engineering doesn't work, your outfit doesn't work, whatever it is that gives you away and you can't get out of it, you're going to need to pull that letter out and be like, seriously, don't

call the guys who are going to put me in an orange jumpsuit. I look terrible in orange. Here's my letter. Now, what do you need in that letter? You need authorization. Make sure the person that is authorizing you is allowed to do it. There's been plenty of stories about pen tests where they go and they put stuff into scope, which is the next thing we'll talk about, but they put things into scope. They say, yeah, that's our IP range. Absolutely. Really? That entire class B on the outside is yours? Yeah, yeah, yeah, yeah. It's fine. Yeah, it's ours. And they go and they start pen testing. You find out that, oh, wait, that's the local police station and we just hacked them. So you want to

make sure that not only do you have the authorization from someone to touch those systems, but feeding into this, you want to make sure what you're doing is in scope. So clearly defined, everything that you're doing. Is physical access defined? Can I go in? What methods can I use to access it? Am I allowed to try and social engineer people? Am I allowed to lie to the employees? We heard another talk that, I think it was Bo's talk in the morning, where he said, yeah, we sent out coupons for a business, right? And they got in trouble for it because really what they've got is they've caused an entirely different problem for a company that isn't in scope. People are showing up going, no, we

got 50% off. They didn't have a pen test. And you've caused another problem. So make sure what you're doing is in scope. Contact information. Ridiculously important. You don't want the desk phone of the CISO or the CSO that's authorized this or whomever it is that's high up the chain that's authorized this to give you their desk phone and then go to Bermuda. and you've got to make that phone call saying, no, really, seriously, you don't need to arrest me. I'm supposed to be here. You need alternate forms of contact information. You might need multiple people in there. Because when you do have to send up that beacon, you want someone to answer and go, yeah, I know, they're authorized to be there. Yeah, I know, they look shady.

Yeah, okay, fine. No problem. The thing I really want to play, it's not a game. It's fun, right? It's fun going through and sneaking around, lying to people, playing dress-up. whatever it is, but it's not a game. You are in real danger when you do this. You are an actual threat to anyone that doesn't know you're operating this pen test. So for those of you who listen to the Trusted Sec podcast, Dave Kennedy and those guys, they told a really great story on one of their earlier podcasts where they went into a building and he sneaks in, he does the nod, he's like, oh, hey, how you doing? Good morning, yeah, great weather, okay, great.

He goes into the conference room. He sits down, he's doing his job. Next thing, cops, guns on him. What are you doing in the building? The person that he nodded at that he thought he got right by reported it to security. Security sent somebody up. They didn't know there was a penetration desk. The police, doing their job, however you want, but they're doing their job. They come in. They see someone unauthorized in a secure facility, and the first thing they do is they draw guns on them, and they say, you need to explain why you're here, right? So now Dave, or I don't know if it was Dave. I don't know which one on the

team was, but either way, he's telling the story, and he says, all right, in my bag is an authorization letter that I'm allowed to be here. This is part of a penetration test. He's got his hands up. He's like, I'm complying. Just call the number in that bag. This is part of an authorized test. The guy calls the number in the bag. The CISO thinks it's funny. He's saying, I don't know who that guy is. Is that cool? That is not cool.

From their story, they are no longer a client. They wouldn't be my client either. So let's talk about my friend Bob. Now I want to be clear here. Not me, Bob. Bob, not me. Me is not Bob. Everyone clear? Excellent. So we're talking about Bob. So Bob, in his youth, liked to sneak around theme parks. Bob in his youth had friends that were employed at a theme park. I know at least one person in the audience knows this story. So his friends liked to go to theme parks and Bob's friends said, hey, I work at one of these theme parks. Why don't we go after school We'll sneak in. I'll get you guys in through the back lot. We'll go. We'll ride some rides. It'll be cool. Now,

what I want to be clear about is I don't want to talk about which theme park because, frankly, I don't want to say that, and if I say it aloud, it might put Bob in some wrists here, but you guys can probably guess which theme park we're talking about. So we're sneaking through the back lot. Everything's going fine. We can see the park. We're almost there, and we hear, can I help you? Crap. So we turn around. And it's a security guard for said theme park. Again, not going to mention the name. So we see the security guard for the theme park and he starts asking us some questions. He says, what are you guys doing back here? Oh, we're just walking back into the park,

says Bob's friend, not me, Bob. Says Bob's friend, we're just walking back into the park. He goes, oh, do you work here? He goes, yes, I do. Great. Do those other four people with you work here? He goes, why, yes, they do. And at that moment, the friends of Bob, not me, Bob, Look at Bob and go, oh, what? Because we have no proof that we were. We can't even lie about it, right? And the guy looks at Bob, not me, Bob, and says, he doesn't work there. And we all freeze. What's going on? He doesn't work there. Why him? Why not us? Why doesn't he work there? Well, at this particular theme park, there was a rule against facial hair. And Bob had facial hair. He

says, he doesn't work here. You're lying. Okay? At the time you couldn't have facial hair at this particular theme park. So this guy, very cool security guard, says, you know what, listen, you guys aren't doing any harm. I'm going to load you in a van, I'm going to call my buddy, we're going to escort you off property. They don't trespass him, anything like that. Bob was very happy about this. But again, what happened here? Details gave it away. You have to do your research. There was a critical flaw in that that access method that gave Bob away. So let's talk about the details. Should I wear a suit with a hard hat? No, that is so gauche after

Labor Day. No suits with hard hats. No. So anyway, you have to know what is acceptable in that environment. So again, dress for the job you want, people. If you want to be Batman, be Batman. However, the reason I put this little name on the screen is in all reality, it illustrates a very clear point. Is Batman going to look unusual at the meeting? Yeah, absolutely. You need to know, are these little stick figures here, are they wearing suits? Are they going to wear ties? Do they wear khakis on Friday? What is it that they do so when I show up, I don't stand out like Batman. I look like I work there.

There's a concept that I like to talk about. I think it's true in penetration testing. I think it's true with just about any sort of security behavior. It's called the uncanny valley. And the uncanny valley is a concept, is a hypothesis in the field of aesthetics that says, that holds that when a features look and move almost, but not exactly normal, it causes a response of revulsion amongst observers. That's instinct. We see it a lot in CGI movies where you've got the big character and he's running around and it's like, yeah, that's not quite right. It takes you out of the moment. And that's what you're trying to avoid. You don't want to be memorable. You don't want people to look and go, there's something wrong here.

Because as soon as they start asking questions, you start going down a rabbit hole that you might not be able to escape from. So you want to remove as many of those questions as possible. The next is a quote that I really like from a book called The Gift of Fear. And it's a book by Gavin DeBecker. And he's a bodyguard for a number of celebrities. And he tells stories about how his intuition, his gift of fear, helps protect people. He can look at an audience and be like, that guy's going to be a problem, that guy's going to be a problem, they're okay, whatever it is. And start to pick up on the details

that... Yeah, it's a great book.

Yeah, yeah, it's a great book. And I love it for penetration testing because this is telling you from a professional's point of view, the ones that are really sharp, what they're looking for. You might fool a regular hourly security guard, but the guys protecting high-level targets, this is what they're looking for. So the quote that's in here is, intuition is always right on at least two important ways. It is always in response to something, and it always has your best interest at heart. So if you can get around giving them clues that will set off that second thing, you're most of the way there. So what I want you guys to keep in mind is that we're going to go through a couple examples when we go through

this. But what I want you guys to keep in mind is no two tests are the same. No two companies are the same. Some companies might let you wear shorts on Friday. And if you show up in pants, people are going to go, why is this guy showing up in pants? We don't wear pants on Friday. Well, I guess you should probably wear some sort of pants. But they wear shorts. Don't show up in no pants. That is a definite pen test no-no. So you do your research. No one outfit's going to get you into every environment, right? You want to remove the details that are going to make people think this guy doesn't belong here. So how do you do that? Well, everyone's got to eat, right? You

go to lunch. So for those of you who are from Orlando here, that's the SunTrust Tower. Orlando. So SunTrust Tower, right below it, Jersey Mike's, Amura, sushi, whatnot. What do you think the chances are that people that work in that tower eat at those restaurants? It's absolutely zero. None. It doesn't happen. So the chances are pretty high. So if you want to do research without exposing yourself, go get lunch. Watch the people. What are they wearing? What's on their badges? What day of the week is it? Do they dress more casual at the end of the week? Do they dress more dressy during the week? Do sometimes they wear suits? Do sometimes they're not? Is it a financial firm? Are

they talking about finances? Try and listen in. Is there a big client coming up? Is there something that you can use later on when you're inside to sound like you're an insider? Just go to lunch. You'll get all the information you need for most of your insider, inside baseball talk inside the organization. So to give a few more examples of this, there's another building. Let's say my target is in that building. What's in that building? There's a nature stable. What do you think the chances are those people eat there? Across the street, there's a Starbucks. You could sit in Starbucks all day long on a MacBook Pro observing people and no one would question you. You're like, I don't know, he's a web developer, he drinks a lot of

coffee, and he just sits there. That's fine. But really what you're doing is you're observing the people coming in and out. And you're looking for your target organization on the badge. You're trying to listen to it. Maybe you strike up a conversation. Say, hey, where do you work? Oh, I work over here. Do you guys do any of that? Oh, we should do lunch sometime. I mean, how cool would that be to be like on a penetration test report and you walk in and you're like, hey, remember we had lunch? Yeah, you probably shouldn't do that with random strangers. So, yeah. Right? So, strike up those conversations. So, the other thing you can do if,

hey, say you don't eat for whatever reason. Kudos on you, by the way. You can just walk down the street. So, what I did, try not to look particularly like a creeper. Is I'm sitting on the street and I'm taking a photo. I'm like that is a lovely steeple. That is a fantastic steeple in the background. Look at how lovely that... Red, green, color. Lasers over there somewhere. So that's a lovely steeple. But in all reality, what I'm actually doing is I'm targeting this woman right here at the edge of the frame. Because if we take one more step forward, and I've specifically kind of blurred this image, the real high resolution shot's a little better, but I blurred that image. I now know, if you could see this

image, what company she works at. I know how their pictures look. I know what the information over here, and it's the name of the company and the building they're in. I know what additional data they've got down here. I know that on Fridays they wear jeans. They wear casual business shirts. They have their badges down here. They're not using a lanyard. That's something in a lot of companies. Some companies require that you have your badge up high. Some say, oh, can you wear it on your waist? Some have... Pay attention to that stuff. Especially pay attention to if their badges are facing out or if they can spin around. Because a badge that's facing out and they can just do a quick glance and say, oh yeah, they work

here. If it's flipped around, that might raise one of those details that's going to go, oh wait, I should probably ask them who they are or who they work for. So, we're going to do another shot here again. Walking shot. Walking action shot. This is again, this is down on Church Street. Again, I blurred the photo a little bit. Notice the outfit, right? Khaki slacks, dress pants, just standard button-down shirt. And again, I've got all the details to reprint that badge. Yeah, I can go through, reprint a badge, put it into my little badge holder, and something that I'll get to in the escape methods, I like to keep a couple of these different types of HID Prox cards. You can get them online for

like 50 cents, right? I've got an HID one, I've got an IO Prox. Because when I go into that building, if I've got the fake printed badge and one of these behind it, and I go up to the elevator and I go, boop, boop, stupid badge isn't working. I got a meeting to get to. What I've done is I've created something, oh yeah, these stupid badges never work. Hold on, I got you. Hey, how you doing? You know, that kind of thing. They see that something's happened They see your frustration and they want to help people. They're such lovely, helpful creatures. Right? Aren't they? So again, have a couple of these around there. And also make sure it's not from an old job, by the way.

HID things. How does Ian Meyer? Oh, maybe we should look up that guy. Yeah. All right. So yeah, just get some generic ones. Right? So we know what the people are dressed like. We know what their badges look like. We know what building they work in. Maybe we've heard some small talk, etc. But let's say they're just not business casual people. Do you know what's beautiful? Marketing is beautiful. Marketers spend an enormous amount of time branding people. So this is Best Buy, right? Everybody knows Best Buy. Blue shirts, khaki pants. Go in there. In 2006, not a security exercise, but really speaks to this. A group called Improv Anywhere, right around the house, some of you guys here, some of you heard of this. Slowly

but surely, one by one, like every five minutes, somebody in a blue shirt and khakis went into a Best Buy until there was like 50 or 100 extra employees there. And you know what they did? They helped people. They stayed in there for like two hours and they're like, oh, you need help with that router? Yeah, okay, this is what you do. No one noticed. That Best Buy was just incredibly helpful. And because, again, humans like to be helpful, They're very, you know, creatures of habit, if you will. They're like, oh great, this person helped me, no problem. And then one by one, at a set time, five minutes apart, they left. Nothing wrong, right?

But what does this tell you? This branding allowed them to achieve something, go into an organization to the point that even the people working there didn't ask questions. They're like, oh, thank God you're helping that person with their router thing. I didn't want to talk to them about that. Great, you got it. New guy, we're going to lunch later. You're fantastic. So... Again, marketing is incredibly, incredibly helpful. Now let's say it's not Best Buy, right? Let's make a little more generic kind of scenario. Any of you guys work at like big enterprise type shops, like you know, big companies, Fortune 500s, anything like that? More than a thousand employees, more than 500 employees, a couple people, okay. Even lower than that though, you probably got

an HP rep, maybe a Dell rep, maybe Xerox, somebody comes by and fix the copy machines. Marketing is so grand to help with penetration tests that they put their outfits online for you to buy. For $14, I can have a FedEx polo with the FedEx logo. Picture perfect to walk into the building and say, hey, I heard you were having a problem with your FedEx printer there for printing labels. And by the way, they're always having problems with their FedEx printer printing labels. That is never a problem. They're like, you know what? That thing does not work. Yes, I'm glad you're here. So again, you can show up in that and fit in, even if

you're just on something where you don't have the time to do the research. You can have a couple of these shirts like this one from HP. If they're an HP shop or they're a Dell shop or something like that, just go. Spend a couple bucks. This one's a little more. It's like $39. But that FedEx one

was $14. You go and throw that on, go into the environment, you're going to look more like you should be there. You're going to look like somebody who's just going around trying to fix problems and getting out. So marketing is incredibly helpful. They're very helpful people for the likes of us. So now I like to throw a couple movie slides in here because I've talked about making sure everything's a little bit picture perfect, right? Making sure you're looking exactly the part. But the truth of the matter is this quote from the movie Serenity, right? So this is Serenity. It's the Firefly series. Everyone can... cry appropriately for it being canceled. But it's Kaylee talking to Simon Tam as he's about to leave the ship Serenity, right?

And he's a doctor and he's always in his suit and whatnot. And she says, you shouldn't ought to be so clean. It's a dead giveaway. You don't belong. You always got to be so tidy. She's trying to warn him that you look like a sucker. You look like a mark. People are going to take advantage of you. Think about when you go into work on a Wednesday. How many people haven't shaved the morning before because they're just like, yeah, I worked here for a number of years, whatever. Maybe their polo's a little rumpled because they just pulled it out of the dryer. They don't look perfect, right? They work there. They want to look professional, but they're not coming in with creases in their sleeves and perfectly pressed pants.

Now, that's not true of every organization, right? I mean, you might have financial institutions, sales companies, marketing places that, yeah, that's their job. Their job is presentation. But at most companies, your IT staff, frankly, is going to look, you know, polo shirt, khakis, whatnot, walk around with your badge and lanyard, and maybe they're a little unshaven, maybe, you know, they've been running around moving servers and whatnot. That's going to happen. So you want to pay very close attention. We'll talk about this in one of the examples. You want to pay very close attention to, frankly, do I look dirty enough? Do I look like I'm doing the job I'm pretending to do? Right? So...

Let me make sure I've got some volume here. Oh, well, I think my, well, we'll find out in a moment. So let me introduce you to our friend Green Fowl. He's the children's character modified to avoid copyright infringement, and will use just enough audio to be considered fair use. Is this going

to go? I want to subject you to the whole song, but Maybe I will. But what we're going to do is we are going to look at a couple examples of me dressed up in outfits. And we're going to pick out what's different with them. Alright, a little dance. So, the first one is the classic construction worker look. Now, again, I love my wife and I haven't said hi to her yet because she's going to watch this later. I love you. So... I come home one day, I'm like, honey, I need you to take some photos of me. I'm gonna get dressed up as like a construction worker. I'm gonna get dirty and she immediately gets on face with her friends. Ian came home tonight.

It's classic evening. We're gonna take some dirty pictures. And I'm like, yeah, yeah, all right. I can be the sexy building inspector. And she looks at me and is like, no one wants to be the sexy, but the building inspector's wife doesn't want to do the sexy building inspector. So anyway, so we got two photos here, right? There are some clear differences. and there are some not so clear differences. And we're going to talk about what the differences are, and we're also going to talk about what those things imply to the person looking at you. Now, neither one of these outfits is necessarily right or wrong, but we're going to talk about some of the

differences and what people observing you think that says about you. So, everyone ready? Cool. So, lots of stuff going on on the screen, right? So let's go through it. My hard hat, which I have up here in the photo, Here is too shiny, it's brand new, it's straight out of the box. It should look scuffed up. Guys who wear hard hats throw them in the back of their truck. They don't have brand new hard hats. They rumble around, they get dirt on them, maybe they got some lettering on them, right, that's faded that they've got on there because it was issued to them, etc. So that's going to look a little bit odd. My union sticker, that's right, that's right. I got to have my union sticker.

Are you local 504? You're not on this site, buddy. Yeah, no, yeah, so yeah, got to have your union sticker. Now we're, funny that that's said though, we're a right to work state so it's not always a union shop but that's good to know. That's really, I mean it's a good point. It's good small talk. If you're walking into a union shop and you don't know who your union reps are and whatnot, someone's going to find, it's generally a tighter knit community so that's research you should definitely do. So again, I've got a beard but I want to point out shaving, right? Down here on me. Construction workers, I worked with a lot of them at a previous company, well not specifically with them, but they served

the construction worker community. These guys get up really early. Even if they have shaved in the morning, by the time you see them, they might have a little bit of stubble. They might have a little bit of growth, right? Also, they might not want to shave because it's uncomfortable. They're running around, they're hot, they're sweaty, they don't want razor burn, that kind of thing. So you don't want to look like you've just stepped out of the shower because they probably don't look like they've just stepped out of the shower. On one side I've got a collared shirt, on this side I've got a bright greenish yellow shirt. This is pretty standard. If you walk around

downtown Orlando, this is what the construction workers are wearing. They're wearing it because they want to be visible. Other construction workers need to see them and say, oh wait, we're swinging a beam around, there's a guy over there. Which is the same reason for these vests, right? So, collared shirt isn't necessarily wrong. Maybe you're a supervisor there. Maybe you're running around, you say, I'm not here to work, I'm here to check some work. That's probably going to work better than this guy saying, I'm here to check some work, right? Papers. So I've got the standard, like, metal clipboard here. Don't show up with no papers on the clipboard. There's nothing better than walking in and going, I don't know, the job order says I'm supposed

to be here. Yeah. Have you got no papers on that clipboard? They're gonna go, first off, why are you carrying a clipboard? That's kind of weird. But two, you can use them as a... I'm supposed to be here at 11. Who am I supposed to talk to? That kind of thing. You want to have something to draw their attention to that.

That's right, yeah. If you guys want to come look at it, I ran a wire brush over the bottom. Yeah, exactly. And we talk about that too, the shiny and shiny pieces. Yeah, your equipment should look used. Right? So, on this one, it's kind of hard to see from where you guys are, but in this picture, I don't have a ring on. In this picture, I have my wedding band on. This is a really interesting give and take. Yes?

Tucked shirt? Yeah, I've got my shirt tucked in here, and I didn't call that out, but yeah, absolutely. That just depends on what you're doing. So, I mean, if you're in a scenario where you're pretending to be the supervisor, maybe you've got a shirt tucked in, most of the time people working, getting up and down and up and down and working on stuff, their shirt's untucked. Yeah. Okay. So, back to the wedding band, right? It is not unusual for construction workers not to wear their wedding band. Why? It's a danger to them. It might get caught in something that I don't suggest you look up on the internet called degloving. And it's exactly what it

sounds like. So the ring gets caught. Either the skin comes off or the whole finger. So they might not wear it. However, one of the things that a ring does inspire when you're lying to people is trust. You've made a commitment to someone. Maybe you've got some kids at home. This looks like a nice guy. He's married. What could he possibly do to penetrate my organization, do horrible, horrible, bad things? So you have to kind of decide what route you want to take with that and what level of confidence you have in using that.

Yeah, yeah. Yeah, you're fine, yeah. Yeah, I was gonna call out CrossFit on you. I was gonna say, I know a guy does CrossFit. I know a guy. So don't worry, he'll tell you. He does CrossFit. I don't know. Actually, it causes a space-time continuum problem. Right. So I've got a tool belt on in this photo. I've got a tool bag in this photo. Again, going back to the role play scenario, the only time guys wear tool belts on it like this is like if they're doing roof, they've got something they constantly got to get nails or something like that. They don't carry their tools on them. They have a tool bag, generally. They drop it wherever they're working. They do their stuff. They pick it up again.

They don't want to carry around the extra weight. Right? So talking about the tools here, notice I have no tools in here. Why is this guy wearing a tool belt with no tools? It's because he went and bought a tool belt thinking, I look like a construction worker. This guy's an idiot. Look at him. So yeah, so he doesn't have any tools in there, right? This tool bag, it's dirty. It's got dust on it. It's got a bunch of used tools, mismatched tools. This is a tool set of someone who has their favorite tools that they use all the time, that they trust, and they go through and they say, yep, this is my bag.

That looks more like that worker. So the pants, it's hard to see in this photo. I'm actually wearing the same pants that are in this photo. They're kind of that construction worker, like, hey, dungaree's working outside. Look at me. I just made myself sound terrible. So I'm wearing jeans over in this photo. Most workers that you'll see going around downtown, etc., doing construction, working in building, they're wearing jeans because they're tough, they wear well, and then also, again, it's hard to see in the shot, but I've got dust on my knees. I've got, and actually what it is, it was honestly, it was flour from the kitchen. I went, put it on my knees because they're getting up and down, up and down, and that's a detail. You see,

oh, that guy's a worker. he goes through and he does that stuff, he looks the part. One of the other items here is I've got his keys. I don't know why. Well, I guess I do kind of know why, but just a ring full of keys, like hundreds of keys. The more the better. Because often these guys are doing facilities, maintenance, they've got to have keys to every room, they've got to go around. This is probably the most effective prop, and it seems silly. But somebody looks at this and goes, yeah, this guy's... It also implies that you have access, right? If you're somebody, you see somebody who's got a ton of keys, and they're

in a room that maybe they're not supposed to be in, you're probably going to assume that they got in with one of these keys. So it's a good prop to have on you. Let's see, which ones didn't we cover here? Oh, yeah, use. Notice how this looks very nice and brand new, this vest. I ripped it up a little bit, got some dirt on it, etc. Again, it looks like it's been in my truck. OSHA requires me to put it on, so now I've got my truck, I put my stuff on, I go and I do my work, right? Okay. So you don't want to look like you've just bought this at Harbor Freight, which is, by the way, where I bought it from. But you don't want to

look like that. You want your clothes. Here you can see there's some dirt on there. I've maybe wiped my hands after working with my tools, right, because that's what I do all day. I don't look like I've just stepped out of the shower like, I'm dressed like a construction worker doing construction worker things. Don't mind me. No, I look like I've actually done the job, right. So we talked about dust from the bag. Shoes. Again, it's hard to see in this photo with the screens. I've got brand new shiny black boots on. There are very few occasions that you will see a worker that is out doing construction in brand new shiny black boots. Very

few occasions. And it's generally the first day they bought those boots. So yeah, if you've got all this other stuff going on in a new pair of boots, that's probably fine. If you've got a new hard hat, a new vest, a new tool belt, new pants, new shoes, it's going to look strange. Yes, sir.

You, sir, are very observant and would probably catch me sneaking around the building because of the next slide I call that out. You're absolutely right. You're already on top of it. Here, I'm trying to fool someone. I'm like, hi, I'm here to do construction. Everyone wants to do construction. Now, over here, I look like I'm like, you put in a ticket. I'm supposed to fix the light. I'm tired. I want to go home. And that's what people look like when they're doing this kind of work. Again, I'm being a little stereotypical. Not everyone, but I'm trying to leverage stereotypes, things that people will accept as a stereotype. So I think we've talked about the construction worker enough. Oh, I didn't mention the badge. Sorry. We're going

to mention this a couple times. The talk yesterday that... Who was it that gave the talk? It was Tom from Citadel. He did a really good job talking about this. This is literally a paper-printed badge stuffed in a thing. There's no real badge in there. Now, I might have it backed with one of these... that I talked about before. But again, I'm doing my research downtown, I'm seeing what the badges look like. I make a fake badge that looks like that. I stuff it in a plastic pocket so that people don't see the real detail on it. I've got an RFID in there that when I scan it, it doesn't work, but it makes the

thing beep, right? Also, notice where I've got the badge. I've got it up high, and I've got it facing out. People can look at my face, and they don't have to look down at the, we'll call it the crotchular region, right? People don't want to do that. And that's often the reason that companies say you've got to wear it up higher, right? So you put it up there, it's facing out, and what you're doing is you're inspiring a level of trust, right? They're looking at you and saying, oh, I already know your name. Some people like to feel like they're getting something over on you. Like, if I've got the badge on, I'm like, oh, hey, Ian, how you doing? Oh, no, we'll definitely help you out with that.

I've never met this person in my life. But now they feel like they've got something on me. They feel like they have the upper hand because they know my name, I don't know theirs. And it's just a little bit of back, kind of like backwards psychology that you can leverage because now they trust you. So, did we touch on everything? I think we did. Dirt, use keys, yeah. Yeah, we did. All right, so let's move on to the second example, which is one of two here. Business professional Ken. So, two different pictures, basically the same outfit. These changes, there are fewer of them. They're a little more, no, I'm not going to say, they're a little more overt. But again, do your

research about the organization. So what are the differences here? Gentleman back there called out the smile already. He got me on that one. So smile. I'm smiling. I'm there to do a job. Here, I'm relaxed, but I'm not thrilled. I'm here to do a job. I'm here to do my job, get my paycheck, go home, right? Here, maybe I'm trying to sell you something. And who likes salespeople, right? No, I know we got salespeople in the room. I like salespeople. So let's go through the differences, right? Collar open. I am. I'm wearing that shirt. I don't own any other clothes other than the presentation I'm doing right now. So anyway. Here, I've got the collar open, right? I don't have a tie on. If that

is what that environment calls for, it's not a sales environment, it's not a financial services environment where everyone's in a suit doing their job. This looks like someone who showed up to be professional, they got their collar open, they've got their sleeves rolled up. I actually never put my sleeves down, I hate it. But somebody with their sleeves rolled up look like they're there to do a job. They're working on their keyboard all day. Maybe they're a little hot because they're doing stuff. They're not trying to pull something over on you. You know, nothing up my sleeve, presto. That kind of thing. So again, the bag, right? Here I've got a backpack, here I've got

your standard like briefcase issued by Dell, right? This might be more your business person, right? They've got the briefcase, they go in, they do their client presentation, maybe they got a projector in there, whatever it is. Backpacks are actually gaining a lot of, executives are carrying, they're on planes, they've got the straps over there, people are going for comfort over looks. Keep an eye out for that when you're doing your research. Are all the people leaving at five o'clock got backpacks on? They have messenger bags. What can you do to make yourself look more like the community you're trying to penetrate? Which sounds really, really dirty. Anyway. So, again, we got the basic things here. Again, we got the badge. We talked

about that. We've got the tie. We've got the shoes. That's the only thing I didn't talk about. I've got two sets of shoes here. I've got my shiny tuxedo shoes. And I've got my regular shoes that I've shined. These are too shiny. People pay attention to shoes. Everyone see the movie Die Hard with, I think it's Die Hard with a Vengeance, right? Hans Gruber's brother is very mad. Now there's a scene where they go to get into one of the federal bank buildings and they're all wearing suits and they're going in, but one of the guards notices that they're all in military boots. It was the only thing wrong with their outfit. Because shoes are

expensive and they're hard to pack. So you might have a whole new suit or a couple suits or changes of clothes, but you might only have one or two pairs of shoes and they don't go together. So make sure you pay attention to even that detail because I guarantee you good security guards are. Are you in the wrong footwear? I'm dead serious about that. That is something that absolutely happens. Yeah. Yeah, absolutely. So, shoes are too shiny, ties too tight, smiles disingenuous, this guy sucks, get out of our building. Yeah. Absolutely.

You got it. Yeah, absolutely.

Yep, yep. So... Yeah, please. We don't want to hear about your stupid shiny shoes anymore. Get out of here. Exactly. Yeah, no, that's a good point. So, paralanguage. This isn't what you say, it's kind of how you say it. Right? And honestly, I could probably just use this quote from Ocean's Eleven. to tell you about paralanguage. So Rusty's talking to Linus and he says, you look down, they know you're lying. And up, they know you don't know the truth. Don't use seven words when four will do. Don't shift your weight. Look always at your mark, but don't stare. Be specific, but don't, what is it? Be specific, but not memorable. Be funny, but don't make him laugh. He's gotta like you and forget you

the moment you've left his side. That last piece is the really important part. They've gotta like you, they've gotta see you're not a threat, and move on with their lives. So what that's really doing is that's speaking specifically to what I said about the uncanny valley. They've got to look at you, go, yep, nothing here wrong, there's no anomalies, this doesn't seem strange to me, and go about their life, right? So what specifically is paralanguage, though? Paralanguage is the non-lexical component, I should probably be over here, non-lexical component of communication by speech, for example, intonation, pitch, speed, That's going to pitch again. Speed of speaking, hesitation, noises, gesture, and facial expressions, right? So this starts to

head into body language, but it really isn't. Like, if I go through and say, hey, Jack, you look really great today. You look just stunning, just majestic. Does my facial expression give that up? No. I look disingenuous, right? So, paralanguage is those things that people pick up on when you're speaking that they use to fill in gaps. It's also the reason we need like a slash sarcasm tag when we chat, right? Because people read it and they go, huh, that guy's a jerk. Maybe you are, but whatever. So, paralanguage do's and don'ts. Do, speak clearly. I hope that I've spoken clearly to you guys today. You'll be fine folks here. Lower your pitch if you can. Bring your pitch down lower.

You're relaxing. You're doing a zen calm. Studies show that a lower pitch inspires trust. People hear that and it has a calming effect. Now, you don't want to lower it so much that you're like, can't get enough of your low. You don't want to go Barry White low, but just a little lower, maybe one register lower. So relax your face. Do some exercise. Goofy stuff in there before you go in and work on it. You want all those muscles relaxed and loose because if you're coming in really tense, it's going to show up. So do that exercise. Positive tones. You don't want to speak negative, angry. You want to speak in a positive tone. You want to let people know, no, everything I'm telling you is absolutely true.

Now, that even sounded a little disingenuous, but I think you get my point. You want to match their vocalizations. And this is very important because we talk about imitating.

You don't want to imitate. You want to match their vocalizations though. If someone's speaking a little quicker, match their pace. If they're speaking a little higher, speak a little higher. Now I know I said speak lower, but you have to go with the experience that you're having at that very moment, right? So match their vocalizations and gratitude. Flattery will get you everywhere, people. Thank you for helping me. Oh, thank you for holding the door. Hey, where's the lunchroom? Oh, thanks. I really appreciate it. I got a meeting I got to get to. Leaving people with those thoughts that they see you again in the hall, they're going, oh, that's a really nice guy. He's great. Who is he? Right? So the don'ts.

Don't rush. Don't speak very quickly. If you're speaking very quickly, people don't know what you're trying to say. And then they're trying to think about it. And they're wondering why you're talking so quickly. Because you're nervous. Don't rush. Accents. Don't try and do an accent. You may think you do an incredible Cockney accent. You don't, unless you happen to be Cockney. I should drink, God. No, you don't. You don't do it well. And moreover than that, even if you do it well, you never know when you're going to speak to someone who grew up around that. You never know when you're going to be sitting next to somebody and they're going to say, hey, I don't know what that guy's doing. So don't try and fake

an accent. Try not to breathe heavy. Don't run upstairs before you've got to hit your mark because people are going to go, why is that fat ball guy not able to speak to me? What is he doing? Don't do that. Really work on that. And if you have to practice it, do. So vocal fry. I can't even really imitate this, but it's something that you hear a lot of people do. It's kind of at the end where you go, oh my god, like that. Even if the person you're talking to is doing that, avoid it. It's a habit that people develop. It's a laziness of speech. So don't imitate. Again, if you find yourself somebody with a very heavy accent or they're saying specific words, don't try and copy

them. Now, you want to sound, this is a really fine line to walk. You don't want to try and copy them exactly. Because if you go too far, they will think that you're making fun of them. They will have that revulsion reaction, like, why is this guy making fun of me? Why is he doing that? You want to match their vocals, kind of keep up with them in pace and tone, but don't try and imitate them. And of course, don't frown. Don't come in angry. Again, that goes back to the facial relaxation. So body language, it is not interpretive dance. It is not like some sort of I am a swan on the wind. No,

you're not doing that. You're trying to let people know that you're approachable, that you're trustable, etc. So, standing. Many of you who are in the military, you've got the relaxed standing position. You're at rest, whatever it is, at attention. I wasn't in the military, clearly. But, again, you want to make sure that when you're standing, you're confident in your own space. You're standing, relaxed, listening, relaxed. Maybe you've got your knees bent. You don't have your arms out like you're aggressive. You don't have them behind your back where people can't see what you're doing. Maybe you have a weapon. Maybe you've got something else. Who knows? I can't tell. Your hands are behind your back. You want to make sure that the person feels comfortable with the

way they're standing next to you. You want to do eye contact, right? I'm going to play with you right here. I'm going to do eye contact. But you don't want to stare because if I'm sitting there drilling through you, You're going to have a prey response. Why is this guy looking at me? Do I have something on my face? What's going on? So try and watch their eyes, right? People have a certain level of comfort where they'll look at you, they'll do some eye contact, and then they'll look away for a second. Where they go, okay, I'm going to see what else is going on. Oh, yeah, he's still there. Great. So if they do

that, try and match that timing. Every couple seconds they look away, you look away. Let them see you do that. Okay, this guy's not trying to penetrate my soul. He's just talking to me. Fantastic. So again, be confident, but not aggressive. Right? You want to be confident. You want to feel like you belong there. But you don't want to go, hey, you better let me in there. I'm going to call Bobby Joe Susie Pants and they're going to yell at you. Yeah, no. Frankly, Bobby Joe Susie Pants really needs to change her name because that's a terrible name. So, let's talk about speaking tips. Now, this talk didn't go into speaking tips, but... You want to work on your small talk. Tom talked about this yesterday. Go through,

check the weather in the morning. Oh, unseasonable weather. That was what he said. But also like, oh, can you imagine the rain yesterday? Oh, it's crazy. I had an umbrella. I had to go get the kids. Those kind of things, right? Work on your small talk. Know what the local sports teams are doing, right? Introduce yourself. If someone comes around the corner and you see them, introduce yourself. Hey, how you doing? I'm new here. Great. Where do you work? Oh, you work for that? We should do lunch sometime. Yeah, absolutely. And leave. Maybe you're gonna have to bail immediately after that, but they're not gonna call security before you're out of the building. Be concise, we talked about that. Don't use seven words when four will do. Don't be

the first person to speak. The first person to speak loses. Just like standard sales. Yeah, can you help me get into that room over there? Am I supposed to help him get in that room? Yeah, let me find out. Let me see what I can do. But if you keep over explaining, they're going to go, why is this? No, go away. Build rapport. That's really that small talk piece. Build rapport with them, some sort of commonality, right? Talk about the weather. Talk about sports. Hey, they've got a sports jersey on. Oh, did you see the game? This is the type of thing that makes them go, this is a normal human being. And I can trust them. So got a couple minutes left here, 10 minutes left. Good.

The getaway. Must go faster, must go faster, must go faster, must go faster. So three key getaways that I really like, right? One is let me step outside and call my boss. If you find yourself in a scenario where they're not buying it, again, you're back to the papers. Oh, you know, maybe I got the wrong, do you have another office? Let me grab my phone. Let me step outside. I'm going to call my boss. We're going to get it straightened out. And then keep walking.

Oh, maybe dial. Yeah, and you're on the phone like, oh, no, I'm just, I'm on it right now.

Don't trust this man. Right. No, he's absolutely... No, no. I think everyone knows what I meant. You can trust him, but only so far. No, anyway. Yeah, I'm kidding. So, yeah, they know I'm right. Yeah, right. So, anyway. So, can you help me? Like I said, people like to be really helpful creatures. Hey, can you help me? I'm going to try and fit this story in real quick. Bob, again. Bob, not me. Bob. Everyone remembers Bob? That isn't me? Great. Okay. Okay. So Bob has a tendency to wander around theme parks, especially when he got older, right? And him and his friends might have drank a little too much at a theme park that wasn't the theme park that was talked about before, and

they'd wander around the back lots. And as soon as they saw someone approaching from a distance that maybe they were like, hey, wait, what are those people doing? From a distance, I'd tell my friend, I'd say, hey, I need you to act really drunk. No, drunker than you are now. Little drunker, good, perfect. Do that. He's on my shoulder, and I go, hey, excuse me, can you help me? I need some help. Oh, yeah, come over to me. My buddy got really drunk. He ran off. We were trying to catch him. We just want to get out of the park. We're trying to find the garage. He took off running. We got him. He's being in real pain right now. So if you could just

help us out. They go, oh, yeah, absolutely. Let me get the golf cart. We'll bring you guys around. We'll take you out to the parking lot. We then, I mean, Bob, they go through and go right past all the police officers that are arresting all the drunk people and sending them to Drunk Tank because they were a little too drunk in a theme park, which is a bit like... And though I walk through the valley of shadow of death, I will fear no evil. As you're getting escorted past all the police officers because you asked for help. And of course the last one, excuse me, where's the bathroom? I was told there's a bathroom. No one's going to ask you why you need a bathroom. They're just

going to tell you where the bathroom is. Oh yeah, it's right over here. And then keep walking. So. How do you stop this in the last couple minutes here? Like I said, at the beginning of any red team talk, I like to help out the blue teamers. How do you stop this from happening? How do you stop the interlopers from getting into your organization? Introduce yourself. You see someone new. The thing that I said, reverse it on them. Instead of you going to them and saying, hey, are you new here? Hey, my name's Ian. How are you? Which department do you work in? Who's your manager? What do you do here? They can't answer those

questions. Maybe it's time to say, hey, um, Not for nothing. I'm really sorry you don't really have a badge on, but I gotta call security. I'm really sorry. Beat the asshole. Yeah, exactly. Exactly. Beat the asshole and wear it in the bargain. Exactly right. So, visible badges. I always wear my badge up on my collar. Any organization that I have the power to do that, I'm gonna ask, wear a lanyard. Wear it up here. Have a visible badge. Right? If the badge is hidden, if it's not there, if you can't identify them, are going to use that against you. Stop tailgating. We try and be like, oh, here, let me hold the door for you. We're taught to hold doors for people. Don't do that. At a bare minimum,

at an absolute minimum, say, hey, I need you to hit your badge against the reader so we have a log of you entering the building. And again, you might get to personally know people you're going to lunch with and whatnot. You know they work there, and you can still do that. But you see someone who doesn't belong, you don't see him before, maybe you've only seen him in the office once, what not, be like, hey, not for nothing, can you just badge in so I don't get in trouble? Because you shouldn't be tailgating people in. And then escort people. You don't have to be security, but if someone's there that you don't recognize, say, listen,

again, not for nothing, but I got to call security, they will escort you to where you need to be. Or do you have an escort with you? No, you're a guest here. Let me call security and get you an escort. So you don't have any trouble. Let me be helpful for you, right? So you do those things. You're checking badges. You're not tailgating people. You're getting people to properly escort. You're introducing yourself to strength. Don't worry about the awkward moment, the awkward handshake, whatnot. Do that. That is going to diffuse most penetration testers. Because as soon as you start getting the weeds about, oh, do you know Jan from HR, who doesn't exist, by the

way? And they say, oh, yeah, I've known Jan for a long time. No, you don't. They're not real. I just made them up. What are you doing here? So in summary, What did we talk about at the beginning? Get permission. Authorized penetration test. Do not be like Bob. Bob going around those theme parks could have been in a very nice orange jumpsuit. Not very flattering on Bob. Yeah, right. So understand the target. Do your research. Make sure that you know what those people wear. Pay attention to the details. The details are what are going to give you away. You don't want to trigger that uncanny valley. And again, trust no one. I know it sounds very X-Files, but again, you see someone,

you don't recognize them, you've never worked with them before, don't trust them. Ask them some questions. So we don't have a lot of time for questions, but I do want to say thank you to everyone, the organizers, et cetera. If you're interested in becoming an InfraGard member, please go to InfraGard Orlando Members Alliance. We're trying to get that chapter running. Adam Losey this morning, who was speaking, him and I are involved in that. If you want to contact me, ian at ianmeyer.com, at ianmeyer. Again, I hide myself very well on the internet. And then I've got the slides up there if you're interested in them. So on my website, if you go to ianmeyer.com slash

p slash dress, you'll get these slides in the abstract for the talk. So thank you.