Re: Pen-Test and Social Engineering

["Steven" <steven () lovebug org>]

I would definitely say that social engineering can be considered part of a 
pen-test.  If you are able to get users to divulege information that assists 
you in compromising or gaining access to something, then you are doing 
exactly what a real attacker would have been able to do.  You might be able 
to trick them into telling you something via phone or e-mail, get them to 
physically do something like open a door or unlock a machine, or get them to 
run an executable or disable a firewall.  You might be able to get them to 
do under false pretenses, through their own ignorance or carelessness, or by 
other means.  Whatever you do can be considered part of a pen-test.

However, there are a few important things to keep in mind.  You want to 
definitely lay down the ground rules with whomever it is you are pen-testing 
for.  They might just want to see what machines an exploit can break into. 
You might really upset some people and get in trouble if you start trying to 
gain physical access or send trojans to executives.  Make sure they are 
aware of what you are doing and that you have approval.  Get everything in 
writing or in your agreement somewhere.

Anyway - one word answer to the questions IMO is Yes.

Steven

----- Original Message ----- 
From: <burzella () inwind it>
To: <pen-test () securityfocus com>
Sent: Friday, February 03, 2006 9:03 AM
Subject: Pen-Test and Social Engineering


> Hi
> In yuor opinion, can a Social Engineering test be considered part of a 
> Pen-Test?
>
> Thanks
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
> are
> futile against web application hacking. Check your website for 
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before 
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------