Penetration Testing mailing list archives
RE: Penetration Testing - Human Factor
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 21 Aug 2006 16:50:06 -0400
-----Original Message----- Subject: Penetration Testing - Human Factor
As a thorough sceptic Id like to conclude in most cases of a TRUE hacking
incident social engineering
has been a factor of success for the malicious user attacking a system.
My experience has been just the opposite, but I do allow for the possibility that you've got some movie-plot notion of what constitutes a "TRUE hacking incident." Most of the hacking incidents that I've encountered have fallen into one of the following categories. A) The system was connected to the Internet and inadequately hardened or protected by a firewall. B) There was a previously unknown vulnerability that an attacker exploited (think web-app stuff as opposed to kr@d lee+ 0dayz). C) The system compromise began with a benignly-intentioned user behaving badly (installing rogue software, opening attachments from strangers, etc.) I do acknowledge that the third scenario may involve some elements of social engineering, but it was always used in conjunction with malicious code of some sort. I have never investigated an attack, nor have I heard of an actual live attack, in which someone with access to sensitive information gave up their password to a hacker. So while they probably happen, they are also probably not "most cases". Social engineering (aka "a con") isn't as attractive a means of attacking computers as it would seem. In my experience, most focused and targeted attacks involve some degree of an insider element. In these cases, social engineering may not be necessary - the insider often has some or all of the privileges necessary to access sensitive systems. In more random attacks, social engineering is time-consuming and risky.
For quite a while now I have been compiling methodology on the
assessment of the weak human security
link which can be exploited through social engineering. Has anyone got any
thoughts they would like to
share or guidelines to the audit of the human factor when security is
concerned?
Any information is much apreciated.
Yes, any assessment of an organization's vulnerability to social engineering attacks must be audited against the organization's controls, specifically procedural controls. If an organization lacks said controls, an assessment is meaningless - it should be assumed that social engineering will eventually be successful. Once that requirement has been met, you can assess how often procedure is followed and, if it is followed sufficiently, how effective it is. PaulM ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- Penetration Testing - Human Factor Marios A. Spinthiras (Aug 21)
- Bluetooth Pentesting? steven (Aug 21)
- RE: Bluetooth Pentesting? Robert D. Holtz (Aug 21)
- Re: Bluetooth Pentesting? Fabio Nigi (Aug 22)
- Re: Bluetooth Pentesting? Thor (Hammer of God) (Aug 22)
- SV: Bluetooth Pentesting? Martin Gustafsson (Aug 22)
- Re[2]: Bluetooth Pentesting? Thierry Zoller (Aug 22)
- Re: Bluetooth Pentesting? Times Enemy (Aug 22)
- RE: Bluetooth Pentesting? Robert D. Holtz (Aug 21)
- RE: Penetration Testing - Human Factor Paul Melson (Aug 21)
- RE: Penetration Testing - Human Factor Arian J. Evans (Aug 21)
- Re: Penetration Testing - Human Factor Marios A. Spinthiras (Aug 23)
- RE: Penetration Testing - Human Factor Isaac Van Name (Aug 24)
- RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- Re: Penetration Testing - Human Factor Marios A. Spinthiras (Aug 23)
- Re: Penetration Testing - Human Factor R. DuFresne (Aug 22)
- RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- <Possible follow-ups>
- Re: Penetration Testing - Human Factor Catsworth (Aug 22)
- RE: Penetration Testing - Human Factor KeenerPB (Aug 22)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 23)
- Message not available
- Re: Penetration Testing - Human Factor K K Mookhey (Aug 23)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 23)
- Bluetooth Pentesting? steven (Aug 21)