Penetration Testing mailing list archives

Re: Penetration Testing - Human Factor

From: "K K Mookhey" <kkmookhey () gmail com>
Date: Thu, 24 Aug 2006 01:57:09 +0530

Isn't it also about the fact that people are very hesitant to report
incidents where they've been taken for a ride, and more willing to admit
technical goof ups such as not applying a patch?

We've offered clients social engineering attacks as part of pen-tests,
and have found takers for these too. Having said that, I think
targeted financial fraud leveraging computer systems usually happens
with a very strong component of social engineering, whereas regular
hacking (with possible financial results) is usually almost purely
technical.

Just my 2c.

KK

On 8/23/06, Joey Peloquin <joeyp () cotse net> wrote:
>  KeenerPB () mcnosc usmc mil wrote:
> > I would disagree with Arian regarding the technical aspects of "true"
> > hacking...in my experience, social engineering plays a huge role in
> > successful compromise of a network. Most of the time the boundaries are
> > pretty tight so you have to lob one over the fence (social engineering) in
> > order to punch out from the inside to defeat the boundary devices.
>
> All due respect, I'm both an Enterprise pen-test customer and an internal
> pen-tester at the same company, and I don't see social engineering on the
> radar at all, save a mention as part of our security awareness program.
>
> How many enterprises do you all contract with that *actually* include social
> engineering, and the like, in the scope?  We've paid as much as 40K for an
> engagement and it didn't include social engineering.
>
> -jp
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Current thread:

RE: Penetration Testing - Human Factor, (continued)
- RE: Penetration Testing - Human Factor Paul Melson (Aug 21)
- RE: Penetration Testing - Human Factor Arian J. Evans (Aug 21)
  - Re: Penetration Testing - Human Factor Marios A. Spinthiras (Aug 23)
    - RE: Penetration Testing - Human Factor Isaac Van Name (Aug 24)
  - RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- Re: Penetration Testing - Human Factor R. DuFresne (Aug 22)
- RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- Re: Penetration Testing - Human Factor Catsworth (Aug 22)
- RE: Penetration Testing - Human Factor KeenerPB (Aug 22)
  - Re: Penetration Testing - Human Factor Joey Peloquin (Aug 23)
    - Message not available
    - Re: Penetration Testing - Human Factor K K Mookhey (Aug 23)
    - RE: Penetration Testing - Human Factor Robert D. Holtz - Lists (Aug 23)
    - Pen-testing/auditing MS Exchange Servers. Serge Vondandamo (Aug 24)
    - RE: Pen-testing/auditing MS Exchange Servers. Justin Polazzo (Aug 25)
    - RE: Penetration Testing - Human Factor StyleWar (Aug 26)
    - Re: Penetration Testing - Human Factor Joey Peloquin (Aug 29)
- Re: Re: Penetration Testing - Human Factor hacked (Aug 23)
- RE: Penetration Testing - Human Factor Evans, Arian (Aug 24)
- Re: Penetration Testing - Human Factor KeenerPB (Aug 26)