Penetration Testing mailing list archives
Re: Pen-Test and Social Engineering
From: Tim <pand0ra.usa () gmail com>
Date: Mon, 6 Feb 2006 13:16:21 -0700
I would agree with Louis on this. I have conducted SE with the client many times ONLY as an informative demonstration. I always had at least 1 user give up a password or convinced them to change it to one I knew. One thing I would suggest is that SE testing be included in the scope otherwise you are going to head down the road of woe. That goes for anything in a pentest, if it's not in the scope plan on talking to lawyers for a while (or sharing a cell with Bubba). I think Kevin Mitnick said once that everyone is subject to being socially engineered, no matter who you are. My personal opinion is that SE should be a part of the education process in an organization's security training. I also think that if SE is done that you definitely don't specify who passed or failed as that can generate some hostilities within the organization. Like Louis said, metrics would be a good way to go. On 3 Feb 2006 14:03:18 -0000, burzella () inwind it <burzella () inwind it> wrote:
Hi In yuor opinion, can a Social Engineering test be considered part of a Pen-Test? Thanks ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Tim Van Cleave ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Pen-Test and Social Engineering, (continued)
- Re: Pen-Test and Social Engineering Steven (Feb 05)
- RE: Pen-Test and Social Engineering John (Feb 05)
- Re: Pen-Test and Social Engineering Peter Wood (Feb 05)
- RE: Pen-Test and Social Engineering K K Mookhey (NII) (Feb 05)
- Re: Pen-Test and Social Engineering Petr . Kazil (Feb 05)
- Re: Pen-Test and Social Engineering Louis Lerman (Feb 05)
- Re: Pen-Test and Social Engineering Fixer (Feb 05)
- Re: Pen-Test and Social Engineering Sysmin Sys73m47ic (Feb 05)
- Re: Pen-Test and Social Engineering Serg Belokamen (Feb 05)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 05)
- Re: Pen-Test and Social Engineering Tim (Feb 06)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)