RE: Pen-Test and Social Engineering

[Leif Ericksen <leife () dls net>]

Is Kevin allowed to touch a computer yet?  Lets get his opinion on the
whole thing.  


Lets get the Allstate opinion and things as well.  "Some crook went
dumpster diving, now you are the victim of identity theft"  I think that
is the quote...

LONG WINDED: (or jump down to short and sweet)

Yes tons of informations is gathered from the Net for those that wish to
break into companies so a pen-test should include the public
information.  But  said information sometimes has contact numbers of
people in the company listed as such, you have to remember that there
may and should be a SE aspect of said Pen-Test.

What a good Pen-Test should not include is this:
A detailed contract that states:
These are the IP addresses, along with the associated OS and version of
the system at that IP address.

It should say: you can attack these ranges of IPs because we own them,
and this is where you are to focus (then the should stay with those
addresses and not stray unless the contract stipulates we have other
addresses that you can attack ANY IP that is owned by said company)

What a pen-test should not include:
Contracted interviews with all responsible employees by the pen-test
team in such a manner as: "we are ACME security services and we are
trying to find the preparing for a pen-test we need a list of accounts
and passwords that you use on a daily basis.  Even more so if you
anticipate valid answers.

What a pen-test should include is somebody calling in or making a phony
delivery or I am lost please help me visit to the company to see just
how far they can get in.  I know a place where the security guard barely
looks at the ID badge, and many employees of said place just walk past
the guard showing an ID rather than beep in at the proper location.
Even more so I know that the guard sometimes is busy and does not even
look up. I know this for a fact because at my place of employment I have
done just that.  Walked past the guard never to be asked for my ID or
questioned. then once inside I have never ever been asked for my ID.
So IMHO that would fail a pen-test.

The contract should include the fact that you are allowed to do that and
if you are allowed to try to enter restricted areas.  however, if a
"company" has as shoot to kill policy I would not suggest trying to go
to areas that you are not allowed to go to.

So in essence I think it does need a James Bond like essence to it.

 
SHORT AND SWEET:
IMHO, a good pen-test will have a contract that dictates 
1) Name of the company being tested and people that will be testing.
2) Any forbidden access methods.
3) Any forbidden tactics DOS/or even a shutdown of the server 
   (Real hackers will not care if they shutdown or DOS a server.)
4) Time of the attacks. (start/end date start/end time) 
   (Real hackers will not care about time.)
5) Maybe all telephone numbers owned by the company for a war-dial list.
   But this might not be shared with the whole team.  If a modem is 
   found a weakness is noted, and the actual intrusion team would have
   to find modems with SE or other methods.
6) If the team is going to be on premise can they enter restricted areas
   or are they only allowed to test the door to see if it is open.

This is the short and sweet.  I know that I am missing many points, but
this is a nice little start.  I could go on but I will not.




On Tue, 2006-02-07 at 14:53 -0600, Terry Vernon wrote:
> If we're going to fly off topic we may as well include locating external
> wire boxes and setting up a passive sniffer using an old laptop somewhere.
>
> There's a line drawn somewhere between contracting a pen test and hiring a
> company to send in a james bond-like person who will defeat physical
> security and repel down out of the ceiling and snatch the hotswap drives out
> of the old company netfinity and then write up a report that says
> "see...your network security is penetrable". Under those conditions that old
> "only safest computer is in a bunker unplugged blah blah blah" adage
> applies.
>
> Every company with client makes up its own guidelines. To me a 'network'
> pen-test should include what you can pry out of the company using only a
> computer(s) and the internet as 95% of cracked nets happen over the
> internet.
>
> In the quest to sound smart in front of our peers we cannot forget reality
> and that is this: Majority of crackers are script kiddies and the majority
> of crackjobs happen over the internet. The majority of companies looking for
> a pen-test don't own information important enough to anybody who would
> actually repel down out of their ceiling (or print up badges).
>
> I personally think the extent of the social engineering aspect should be
> what you can accomplish remotely, using the phone and email or whatever else
> in place. The rest are pipedreams and speculation until the situation
> changes.
>
> I WISH a company would call my company asking for a james bond like person
> to come penetrate their security. Being a cat burglar without fear of prison
> is the equivalent of...i dunno, something awesome.
>
> Who knows, maybe our discussions here will lead to an industry merger
> between physical and network security devices. Maybe the IPS of the future
> will monitor more than data.
>
> -Terry
>
> -----Original Message-----
> From: Pete Herzog [mailto:lists () isecom org] 
> Sent: Tuesday, February 07, 2006 8:38 AM
> To: Fixer
> Cc: Erin Carroll; 'Bob Radvanovsky'; 'Steven'; burzella () inwind it;
> pen-test () securityfocus com
> Subject: Re: Pen-Test and Social Engineering
>
> Hi,
>
> Fixer wrote:
> <SNIP>
> > Probably one of the best attacks that I've used is as follows:
> >
> > Create a handful of CDs with some legitimate looking (but totally bogus) 
> > data on it, an autorun script and a customized backdoor (one that 
> > on-demand AV won't see).
>
> I don't think I'm the only one who sees this as so dangerous as to be 
> insane to implement.  Any number of problems can happen where once it 
> leaves the building you are responsible for putting a trojan on systems 
> you can't clean up.  Maybe this is what SONY was trying to do too....
>
> > Also, if you want to invest a little more time (and money) into it, 
> > register a web site and create a simple site.  My favorite is to use a 
>
> Actually, something like this can be a measurable test.  Where you mimic 
> the employee's credit union site and start phishing to see how many 
> recognize changes, basic insecurities, and those who also report the 
> problem.  All measurable and very helpful as you can specifically make 
> the site with exactly the problems you expect them to know to be wary of 
> (because they've been taught this or have signed off on a contract 
> saying they read and understand this) and the phishing exercises across 
> many channels like phone, e-mail, company mail, and in person, to 
> discover areas requiring improvements.
>
> > Even something as simple as knowing 
> > what their badges look like can help.  It's amazing how simple it is to 
> > forge an ID badge once you know what they look like.  Ten minutes and 
> > the right hardware and you can make yourself an "employee" of anyone 
> > from CNN to the DoD (not to pick on them).
>
> I understand where this can be helpful in assisting a type of test but 
> only if the target is trained to recognize a forged badge.
>
> -pete.
> www.isecom.org - www.isestorm.org
>
> ----------------------------------------------------------------------------
> --
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks before hackers
> do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------------
> ---
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
> futile against web application hacking. Check your website for vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks before hackers do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
-- 
Leif Ericksen <leife () dls net>


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------