Firewall Wizards mailing list archives
Re: Penetration testing via social engineering/physical penetration
From: "Ryan Russell" <ryanr () sybase com>
Date: Sat, 26 Sep 1998 09:44:43 -0700
The general consensus is that you can usually find someone willing to give up their username/password. I think it is still popular opinion that most attacks come from within a company or a former employee.
Sad but true.
If I can walk into your building and pour sugar down into your backup generators, or sit down in a cube all day w/o being questioned (other than someone else new to the building asking you for directions to the
bathroom)
that this is just as big of a risk to be broken trough as any misconfiguration (since there are bound to be misconfigurations on the inside of a company's network, and once you are on that side wall, your border firewall is now useless.
Yep, perimeter security alone isn't sufficient. Yep, you're totally dependent on your physical facilities being secure.
From my perspective, it would appear that this would have no effect, or a positive effect. I'm sure we've all seen/worked at/been to sites which have many gullible and uneducated (as far as not falling for the fact that I'm some line technician 20ft up on a pole) employees, and some very, very unattentive security guards at the gates. But what do you expect with
what
you're paying those people.
I'm having difficulty picking out your question, unless you were making a statement. We are all totally dependent on physical security to keep our information secure. I suspect most of us don't have responsibility for pysical security in addition to network/system security. There is the advantage that the attacker puts themselves at a greater risk by showing up in your building. If you're asking something along the lines of "should full penetration testing be allowed, including social engineer? Is there any point since they're guaranteed to get in?" Before anyone pays for any penetration test, they should know what they want tested. My opinion is that there's no point in testing something you already know is broken. If you're confident your firewall is in good shape, test that. If you're confident that your internal system security is in good shape (ha!) then test that. If you think your users are educated enough to recognize a scam over the phone(ha! HA!) , do SE testing. When my management asks me if I want/can we do a security audit, I tell them "No, let's fix the problems I've been pointing out for the last couple of years, and quit asking me to introduce new ones." Really... I'll do my own audit for half the money :) I would probably only ever request a pinpoint audit... to test something specific that I think is in good shape. Put it this way, a good hacker, with no fear of being caught (because you're paying them) is guaranteed to get in eventually. Ryan
Current thread:
- Re: Penetration testing via social engineering/physical penetration Ryan Russell (Sep 29)