Penetration Testing mailing list archives
RE: Penetration Testing - Human Factor
From: "Robert D. Holtz - Lists" <robert.d.holtz () gmail com>
Date: Wed, 23 Aug 2006 18:01:00 -0500
You make an interesting point about the occurrences going unreported. I would have to agree that the majority never see the light of day. I would also go so far as to say that most folks don't even know when it happened to them, i.e. nothing suspicious about the interaction. With the technical side being covered by a wide variety of devices which do nothing but help in trying to prevent attacks and logging everything this would give this type of attack a much higher statistical average. Since there are no forensics for a human breach this type must be under reported when reported at all. I know it's real easy to call a help desk and have them reset a password! -----Original Message----- From: K K Mookhey [mailto:kkmookhey () gmail com] Sent: Wednesday, August 23, 2006 3:27 PM To: Joey Peloquin Cc: KeenerPB () mcnosc usmc mil; Pen-Testing Subject: Re: Penetration Testing - Human Factor Isn't it also about the fact that people are very hesitant to report incidents where they've been taken for a ride, and more willing to admit technical goof ups such as not applying a patch? We've offered clients social engineering attacks as part of pen-tests, and have found takers for these too. Having said that, I think targeted financial fraud leveraging computer systems usually happens with a very strong component of social engineering, whereas regular hacking (with possible financial results) is usually almost purely technical. Just my 2c. KK
On 8/23/06, Joey Peloquin <joeyp () cotse net> wrote:KeenerPB () mcnosc usmc mil wrote:I would disagree with Arian regarding the technical aspects of "true" hacking...in my experience, social engineering plays a huge role in successful compromise of a network. Most of the time the boundaries
are
pretty tight so you have to lob one over the fence (social
engineering) in
order to punch out from the inside to defeat the boundary devices.All due respect, I'm both an Enterprise pen-test customer and an
internal
pen-tester at the same company, and I don't see social engineering on
the
radar at all, save a mention as part of our security awareness program. How many enterprises do you all contract with that *actually* include
social
engineering, and the like, in the scope? We've paid as much as 40K for
an
engagement and it didn't include social engineering. -jp ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- RE: Penetration Testing - Human Factor, (continued)
- RE: Penetration Testing - Human Factor Arian J. Evans (Aug 21)
- Re: Penetration Testing - Human Factor Marios A. Spinthiras (Aug 23)
- RE: Penetration Testing - Human Factor Isaac Van Name (Aug 24)
- RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- Re: Penetration Testing - Human Factor Marios A. Spinthiras (Aug 23)
- Re: Penetration Testing - Human Factor R. DuFresne (Aug 22)
- RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- Re: Penetration Testing - Human Factor Catsworth (Aug 22)
- RE: Penetration Testing - Human Factor KeenerPB (Aug 22)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 23)
- Message not available
- Re: Penetration Testing - Human Factor K K Mookhey (Aug 23)
- RE: Penetration Testing - Human Factor Robert D. Holtz - Lists (Aug 23)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 23)
- Pen-testing/auditing MS Exchange Servers. Serge Vondandamo (Aug 24)
- RE: Pen-testing/auditing MS Exchange Servers. Justin Polazzo (Aug 25)
- RE: Penetration Testing - Human Factor Arian J. Evans (Aug 21)
- RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 29)