We’ve all seen it before. Each year, organizations invest millions of dollars in security solutions and disseminate elaborate security policies and procedures as part of their holistic security program. Yet despite all this effort, the general perception is that intrusions are increasing at an alarming rate with no signs of slowing down. External certifications and compliance reports have seemingly made little impact – companies that have “exceeded” PCI standards have been breached. In reality there are large gaps between the theory (your security management framework) and the practice (the operationalization and controls of the framework). Why do we keep getting compromised? 99% of the time, it comes down to human error. Over the last 20 years of my career as a security adviser, I've become an expert in capitalizing on human error. No matter what industry, be it financial or law enforcement, I have successfully penetrated the majority of my targets using the most basic techniques leveraging human weakness via attacks such as social engineering. My presentation will focus on the operational and strategic vulnerabilities that most people don’t think of and are still present in most organizations to this day. I’ll tell you some of my war stories that required an “out of the box” approach, including; Targeting and compromising a board member of a public company while he was riding the train (while I was driving along side in my car); Gaining access to “secured” data centers using only a $50 budget; Stealing a police car to gain access to an intelligence database; Intercepting communications between a management consulting firm and it’s customer via a public hotel network. You’ll laugh, you’ll cry and hopefully you’ll leave my talk with a better understanding on how to protect your organization from attackers and minimize your risk against these types of attacks.