RE: Pen-Test and Social Engineering

["Andrew Lacey" <andrew.lacey () classicblue com au>]

Consider also adding a clause that vindicates the end user.. (so they
don't get fired)

By nature most people are willing to help and it is usually the
process/procedure where it breaks down.

i.e. Users don't know what information is sensitive, or they didn't
follow the procedure to the letter at 4am because they couldn't get a
hold of their line manager. 


-----Original Message-----
From: Sysmin Sys73m47ic [mailto:sysmin.systematic () gmail com] 
Sent: Monday, 6 February 2006 9:07 AM
To: pen-test () securityfocus com
Subject: Re: Pen-Test and Social Engineering

> In yuor opinion, can a Social Engineering test be considered part of a
Pen-Test?

It just depends on the terms of engagement and the scope of the
assessment. Some companies are funny about social engineering and may be
strongly opposed to having it included in an assessment. Every company
also has different levels of knowledge and ideas about what a pen-test
consists of. Just be sure everything is on paper first before doing
anything.

In my opinion, social engineering is part of any good pen-test.


--
Sysmin Sys73m47ic
S3curi7y R3s34rch3r
The Hacker Pimps!
DC904

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------