Re: Pen-Test and Social Engineering

[Pete Herzog <lists () isecom org>]

Leif's correct as have been much of the talk on this topic. However....

Leif Ericksen wrote:
<snip>
> SHORT AND SWEET:
<snip>

What should or should not be in a pen-test has been right in the OSSTMM 
(www.osstmm.org) all along under the Rules of Engagement that say pretty 
much this but a bit more extended.

The problem isn't whether to give S.E. or not though, really, as it's 
clear it's part of it; the question is whether it should be included if 
done wrong.  What is valid S.E. to include.  And that's more than just 
the tests (range from James Bond all the way to out-right, dangerous 
fraud) because it's also the timing.  If the tester achieves the goal 
through S.E. (my assumption is a pen-test has a goal unlike a security 
test) then ill attempts through the network be minimized?  Will they 
spend more time on S.E. because it has a greater chance of reaching the 
goal and that reduces the amount of time they have for testing other 
channels?  I think S.E. can be a pen-test but to combine it with a test 
or a vector of a test is dangerous if it doesn't clearly have its own 
time limit in the SoW.

And for the James Bond fans, I find the "Bond" test type to be very much 
needed and I do know of many companies buying them.  They just don't 
advertise it as such.  It's usually companies looking to hire 
plain-clothes detectives or plants to uncover types of loss or 
subversion.  Some retail chains even pay to have you steal to test their 
in-store detectives.  I have worked a few of them pre-ISECOM and there 
is nothing glamorous about them.  I talked about this at length 2 years 
ago at ISESTORM in Barcelona-- even gave some business leads to a few 
who asked later about pursing this.  I have to say it does give an odd 
sense of Bond-like intrigue and mystery, unfortunately you can't revel 
in it or else you'll blow your cover and the job.  But if you're looking 
for that kind of work, I recommend putting a nice presentation together 
with the right facts and going after the retail, hotel, and restaurant 
market.  If your work has the right pay to loss ratio, you may just find 
yourself a regular gig.  Be prepared to actually have to do the work 
you're in the role for.  Bond never had to vacuum floors or take out the 
trash.  And Bob, the less we actually look like Bond and more like 
regular (albeit odd) folk, the better our chances of getting hired.

Sincerely,
-pete.


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------