Penetration Testing mailing list archives

Re: Social Engineering Formal Methodology

From: Todd Willey <aliver_vilereal () yahoo com>
Date: Fri, 8 Mar 2002 07:20:11 -0800 (PST)


The reason there are no formal rules for social
engineering is becuase it is all dynamic and dependant
on the situation and the contact.  You tell people
what they need to hear to give you vital information. 
It is improvised, not scripted.  Some things that my
be helpfull though:

-Write down the contact's name and their department,
you can keep this contact for further information
gathering later.
-Keep refering to them by first name (common name) on
the phone, this will sometimes build up an informal
environment in which they are comfortable giving you
information.
-Don't be afraid to ask for a supervisor if things
aren't going your way, go all the way to the top if
you have to, but don't back down.
-Also, if you are not doing this from a business
environment, you can try to create an office type
dialog to seem more professional.  Have a "secretary"
call, get the contact on the phone, and then transfer
the contact to your office.  If you have a secretary
making your calls, you must be doing something right,
or so they would assume.

These are not garaunteed to work.  In some situations
you are just as likely to gather information as a
concerned consumer or a student.  There is no set
method, and there cannot ever be a set method, you
just have to act.

todd[1]


--- Ilici Ramirez <ilici_ramirez () yahoo com> wrote:


Hi,

There are many resources available on the web about
Social Engineering (including NLP - my new hobby) -
you can find them on google very quickly. But most
of
them contain "what is SE", some examples and
references to other sites with the same stuff.

Anyway ,as far as my research has gone I could not
find any paper on A FORMAL METHODOLOGY for
conducting
Social Engineering Assessments. 

In any audit if you do not follow a methodology you
cannot guarantee for quality of the work.

So, could anybody give us an advice?

Best Regards,
Ilici R



__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Social Engineering Formal Methodology Ilici Ramirez (Mar 07)
- Re: Social Engineering Formal Methodology CT (Mar 08)
- Re: Social Engineering Formal Methodology Todd Willey (Mar 08)
- Re: Social Engineering Formal Methodology Will Wilkinson (Mar 08)
- <Possible follow-ups>
- RE: Social Engineering Formal Methodology Brass, Phil (ISS Atlanta) (Mar 09)