Some of my friends were also attending, but they either hadn’t had the spare cash to buy the great ticket, or had waited too long to get one. Instead, they volunteered to work the merchandise tables for the artists that were performing/presenting in exchange for admission. It meant that I wasn’t able to hang out with my friends during the show, but it opened up an entirely different opportunity for me: meeting the entertainers socially.

After the event was over, my friends were doing their work,cleaning up their merchandise areas and accounting for their sales. I made it a point to keep conversations with them active and kept moving around while security did their job of clearing the theater, escorting the stragglers outside, and locking the doors. Soon, I was locked in the building with everyone else on staff, with no actual permission to be there. I had successfully passed the first barrier: building security believed I was supposed to be there.

At that point, I did whatever I could to make myself useful. I carried boxes and moved equipment as though it was what I was there to do all the time. This allowed me to pass the second barrier: I was just accepted as another volunteer with those around me, even without the necessary credentials.

At the very end of the night, I ended up being one of three people not on the paid staff that was invited out for drinks with the entertainers and crew. I was going to spend the rest of my evening with some of my favorite stage and screen celebrities (some of whom you’ve probablynever heard of, and some of whom you almost definitely have heard of).

So, the deck was definitely stacked in my favor, and it’s highly unlikely that I would have been able to accomplish any of this if Ihadn’t already had friends “on the inside.” But, it does show how hard it can be to combat social engineering when a member of your organization actively assists an outside party. Perhaps you have a disgruntled low- or mid level employee with an idea about how they can raise their own privileges by vouching for the legitimacy of an outside party, and getting that outside party access above their own.

Make sure all levels of your organization, and any contractors you have, understand which sources they should trust, and which they shouldn’t.