RE: Social Engineering Formal Methodology

["Brass, Phil (ISS Atlanta)" <PBrass () iss net>]

I'm no expert, but I think you should start with some SE goals or targets,
and list techniques that are used to attack them.  Goals and techniques
might be:
1.  Gain physical access
    tester->guard: "I forgot my card today"
    guard->tester: card

2.  Gain credentials remotely
    tester->helpdesk: "This is Joe Blow CEO, I forgot my password"
    helpdesk->tester: new password

3.  Gain access to sensitive information such as source code, sales/customer
history, pricing structure, salary info.
    tester->engineer: "I'm with the new enterprise QA team and we're doing a
source audit"
    engineer->tester: source code

    tester->helpdesk: "I'm salesperson X and I can't get into the contact
database"
    helpdesk->tester: contact database access


These might be combined.  For example, you may first gain physical access,
sit down in a conference room, get DHCP, call helpdesk (check the intranet
site for the number, find a likely name off the phone list (also on
intranet)), gain credentials, access sales database, select * from *, call
engineer, get source copied to intranet share, download, burn CD, deliver to
client, have a nice day, etc.

I'm not saying the specific examples I gave will work.  I'm saying SE is
like any other testing, you need to have testing targets.  In the case of SE
and other security audits, the testing target is usually the failure of some
security control.  In the specific case of SE, the target is usually the
human side of security controls.  Guards shouldn't award cards to strangers
who have lost them, or even let them into the building "just for today".
Helpdesk should verify identity, perhaps by calling back to a known number.
Engineers should not copy "the source for the latest build" anywhere.

One target that interests me (because I know so little about it) is gaining
access to the phone system.  In particular, you want to at least take over
someone's voicemail.  Ideally, you can get that conference room phone mapped
to a person's phone number, so when you call helpdesk the caller ID says
"Joe Blow", and when they call back it's your phone that rings, not Joe's.
This can be a huge supporting factor for your S.E.  

The only way I can think of to do this via SE is to call the phone helpdesk
and tell them you've moved cubes, and give them the wall jack number, and
hope for the best.  On the other hand, if you know enough about different
phone systems, it seems that you can program many corporate phones if you
punch in the right numbers.  Anyone have good resources on that topic?

Those people who imply that it is an art form that cannot be taught are
partially right - it's hard to write the methodology for "how not to come
off sounding like a nervous liar on the phone", at least not without
resorting to some level of psychobabble.  What we can document is common or
typical targets, and common techniques that people with the appropriate
skills (real salespeople would probably be great at this) use to attack
those targets.

As I said at the beginning, I am not an expert (I've only read about SE),
but I do think a methodology can be developed at the testing/target level.

Phil

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/