Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Penetration testing via social engineering/physical penetration

From: Eric Budke <budke () budke com>
Date: Thu, 24 Sep 1998 19:51:58 -0400
The merits of shrinkware seem to have been passed back and forth.  And this
may not quite fit on this list, but some friends of mine are in something
of a debate on the usefulness of a company offering this type of service.

The general consensus is that you can usually find someone willing to give
up their username/password.  I think it is still popular opinion that most
attacks come from within a company or a former employee.  

If I can walk into your building and pour sugar down into your backup
generators, or sit down in a cube all day w/o being questioned (other than
someone else new to the building asking you for directions to the bathroom)
that this is just as big of a risk to be broken trough as any
misconfiguration (since there are bound to be misconfigurations on the
inside of a company's network, and once you are on that side wall, your
border firewall is now useless.

If for instance the NYTimes hack was done by someone getting a RAS number
and username/password from some dolt at the company, would the story be any
less damaging than any of the stories given thus far (NFS exploit,
<bullshit>cgi buffer overflow</bullshit> et al.)  Once they are in, they're
in.  

In another scenario, would a company that does social and physical testing
of security turn you away from using their services, simply because they do
these types of services.

We are of course assuming that the employees doing this work wouldn't have
priors with the law.


From my perspective, it would appear that this would have no effect, or a

positive effect.  I'm sure we've all seen/worked at/been to sites which
have many gullible and uneducated (as far as not falling for the fact that
I'm some line technician 20ft up on a pole) employees, and some very, very
unattentive security guards at the gates.  But what do you expect with what
you're paying those people.

-Eric
--
PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt
Previous By Date Next
Previous By Thread Next

Current thread: