Penetration Testing mailing list archives
Re: Pen-Test and Social Engineering
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Mon, 06 Feb 2006 09:53:02 -0600
Having observed many people's responses, I would like to make a comment... To me, "social engineering" may be considered as an artform of assessing risk through human interaction, as each and every individual conducting the SE has their own unique way or method of conducting an SE exercise. To many, I have observed that "yes", it is considered a part of, or subset to, "penetration testing and analysis", focusing more entirely on the human aspects and factors of human interaction. Thus, the terminology, by its very existence, is subjective to its audience based upon its perspective. How it's interpretted, how it's utilized, what are the human traits and/or factors utilized to acquire or determine weakness, and of course, what are the eventual outcomes -- all of which play a decisive role in the outcome of the SE criteria. To some, SE is nothing more than demonstrating prowisness of ones ability to (essentially) "dupe" or "con" another human. To others, it's an interrogative function to acquire sensitive and/or valuable information in small bits and pieces, then re-assemble all the data fragments collectively into a (hopefully) fully-assembled data model once the data gathering function has been completed (also subjective, as deemed as being completed). Thus, based upon its very nature as being subjective, it could be concluded that SE is not a part of, or subset to, penetration testing and analysis. However, if someone were to define specifics weights, based upon an interrogative matrix (specific questions to be asked to targetted individuals, and the anticipated types of responses -- all are weighed), might similarly be concluded as being more objective, rather than subjective. The federal government is very good at interrogative functions, esp. certain law enforcement branches, such as the NSA, CIA, and the FBI. So...though it may not to appear as conclusive, much of its very being depends upon how it is setup, how it is utilized, what are the expected or anticipated goals, and how is the information (once obtained) utilized -- all of which may be considered a form of social testing of targetted or selected groups of individuals (and their affiliated organizations). If the SE function is based upon a weighed criteria, then it could be considered moreso as a "science", rather than an "artform", and thus, may be construed as a part of, or subset to, a "penetration test and analysis" function; otherwise, it remains nothing more than an "artform", as its exact function would not be capable of an *exact* functional reproduction (meaning, can the exact or same criteria be reproduced each and every time, and can the outcome be predictably produced, using the same methods, each and every time?). Until SE can be empowered moreso as a "science" with a reproducable, repeatable function each and every time, then I could see where people would not categorize "social engineering" as a part of, or subset to, a "penetration test". Until SE may be conclusively defined into a "science", many organizations will never consider it nothing more than an "artform". Bob Radvanovsky, CISM, CIFI, REM, CIPS "knowledge squared is information shared" rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com (630) 673-7740 | (412) 774-0373 (fax) *** DISCLAIMER NOTICE *** This electronic mail ("e-mail") message, including any and/or all attachments, is for the sole use of the intended recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the direction and supervision of Bob Radvanovsky and/or his affiliates, as well as is the property of Bob Radvanovsky and/or his affiliates, or otherwise protected from disclosure. All electronic mail messages, which may have been established as expressed views and/or opinions (stated either within the electronic mail message or any of its attachments), are left at the sole discretion and responsibility of that of the sender, and are not necessarily attributed to Bob Radvanovsky. Unauthorized interception, review, use, disclosure or distribution of any such information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited. As this e-mail may be legally privileged and/or confidential and is intended only for the use of the addressee(s), no addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance upon the information herein is strictly prohibited. If you have received this communication in error, please notify the sender immediately, followed by the deletion of this or any related message. ----- Original Message ----- From: Steven [mailto:steven () lovebug org] To: burzella () inwind it, pen-test () securityfocus com Subject: Re: Pen-Test and Social Engineering
I would definitely say that social engineering can be considered part of a pen-test. If you are able to get users to divulege information that assists you in compromising or gaining access to something, then you are doing exactly what a real attacker would have been able to do. You might be able to trick them into telling you something via phone or e-mail, get them to physically do something like open a door or unlock a machine, or get them to run an executable or disable a firewall. You might be able to get them to do under false pretenses, through their own ignorance or carelessness, or by other means. Whatever you do can be considered part of a pen-test. However, there are a few important things to keep in mind. You want to definitely lay down the ground rules with whomever it is you are pen-testing for. They might just want to see what machines an exploit can break into. You might really upset some people and get in trouble if you start trying to gain physical access or send trojans to executives. Make sure they are aware of what you are doing and that you have approval. Get everything in writing or in your agreement somewhere. Anyway - one word answer to the questions IMO is Yes. Steven ----- Original Message ----- From: <burzella () inwind it> To: <pen-test () securityfocus com> Sent: Friday, February 03, 2006 9:03 AM Subject: Pen-Test and Social EngineeringHi In yuor opinion, can a Social Engineering test be considered part of a Pen-Test? Thanks------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831------------------------------------------------------------------------------------------------------------------------------------------------------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Pen-Test and Social Engineering, (continued)
- Re: Pen-Test and Social Engineering Sysmin Sys73m47ic (Feb 05)
- Re: Pen-Test and Social Engineering Serg Belokamen (Feb 05)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 05)
- Re: Pen-Test and Social Engineering Tim (Feb 06)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
- RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)
- Re: Pen-Test and Social Engineering Volker Tanger (Feb 08)
- Re: Pen-Test and Social Engineering Leif Ericksen (Feb 09)