Re: Pen-Test and Social Engineering

[Bob Radvanovsky <rsradvan () unixworks net>]

Not necessarily...you could *still* have questions within an anticipated range of expected answers.  If I ask Question 
#1, I would expect to see potentially 4 to 6 (or however many) answers.  If the answers are not any of those 
anticipated, mark them as not being outlined within the initial set of answers to Question #1.  This does not mean that 
the answers are not validated, nor does it mean that you've lost the "human factor" to the outline. It simply means 
that the answers were not anticipated and not within the range.  This allows for a more measured response to any suite 
of questions asked, and thus, can show or pinpoint, through a series of these questions, whether the individual is 
lying or telling the truth, or can contain any information about a vulnerability or risk.  I, personally, forsee 
"social engineering" as being measured very similarly to that of the fictional "Voight-Kampf" psychological assessment 
to determine targets as being "Replicants" (Nexus Generation series Replicants) from the Movie, "Blade Runner" (ref: 
http://www.netipedia.com/index.php/Replicant and http://www.empireonline.com/forum/tm.asp?m=2267&mpage=4).

Again, see references about how the federal government has been doing it for years.  They've got it down to a set of 
"scripts" such that questions have been written to be asked in such a manner as to provoke a certain response.  To me, 
it's a form of plain and simple "interrogation" -- nothing more.  Thus, the thing that I feel differentiates between an 
"interrogative interview" versus a "social engineering event" is that random, human factorization -- of which, I would 
tend to agree with you, in that it might be very difficult to distinguish or (perhaps) differentiate between as being a 
"science" versus an "artform".

I guess my question would come down to this: How do psychologists interview people?  What they do is an empracticement 
that is repeatable, as well as repetitive, and is weighed based upon certain criteria, or perhaps even external 
influential factors that might determine that said individuals as being "<xxx>", right?  Would this not be considered 
as a "soft(er) science", as there are often times, too many unknown factors that might negate or mitigate their 
results, thus potentially skewing the end result or anticipated outcome?  Possibly.

And...with both circumstances, the net effect was obtained through a repeatable, reproducible process.  That is what 
distinguishes it as being classified as a "science".  ;))

Have I clarified my position on the matter, or does it appear that I've muddied them up further?

I'm (really) not being argumentative about this subject -- just that it is (to me) a difficult topic to discuss 
*openly* on a public discussion forum.  There are no clear-cut answers to this debate; however, I am hoping to shed 
some light about how both sides perceive "social engineering", taking the role of that to the "Devil's Advocate".  I 
*do* see the validity in your response, but perhaps you can see just how I'm perceiving this?  If you have a process 
that is not easily explainable, cannot be documented quickly (has or draws upon too many possible conclusions without 
concrete results), or might (or might not) be reproducable, what would you consider this then?

In this case, I would speculate that a "science" is an empracticement of a process, methodology, or procedure that is 
reproducable and is considered logical in nature, thus formulating or drawing upon a conclusion to the net result.  
Science (generally) "refers to a system of acquiring knowledge – based on empiricism, experimentation, and 
methodological naturalism – aimed at finding out the truth.  The basic unit of knowledge is the theory, which is a 
hypothesis that is predictive.  The term "science" also refers to the organized body of knowledge humans have gained by 
such research." (ref: http://en.wikipedia.org/wiki/Science)  Could you base your decision to determine if the target 
location were vulnerable based on a few abstract questions?  I doubt that I could answer that question, esp. if a 
C-level executive were asking the question.  Their questions, though speculative in nature, are founded on one thing: 
what will this do to impact my company?

A colleague of mine pointed out that "social engineering" in of itself is neither an "artform" nor a "science", but 
rather a precursorary measurement or determination of the state (or status) of a given scenario, such that its mere 
determination usually would require *additional* investigation, thus in fact, might be construed as a "soft(er) 
science".  This would draw about a conclusion to your statement that "social engineering" is a valid "tool" that is 
utilized as a precursor for further investigative functions.  To that degree, I would agree with you, and thus, can see 
the relevancy to your point.  Also, as a generalized statement, most "hackers" often rely upon intuition and "gut 
instinct", but may be founded upon more concrete methods of thinking that are unexplainable to anyone outside of their 
"inner circle", without establishing that there may or may not be foundations based on the methodologies used.  To me, 
because of the "human factor" is involved so often of times, we refer to the "human factor" as the random, chaotic 
interactive state which exists within nature, representing the interaction between human and human kind, or human and 
animal kind.

In conclusion, I was merely stating an observation based upon how others may perceive it.  I seriously doubt that we 
will be able to clearly define "social engineering" in a clear-cut manner without too much debate; there are just too 
many factors involved which, depending on your level of perception, can go either way as being either a "science" or an 
"artform", or in some circumstances, both.

Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax) 

*** DISCLAIMER NOTICE ***
This electronic mail ("e-mail") message, including any and/or all attachments, is for the sole use of the intended 
recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the 
direction and supervision of Bob Radvanovsky and/or his affiliates, as well as is the property of Bob Radvanovsky 
and/or his affiliates, or otherwise protected from disclosure.  All electronic mail messages, which may have been 
established as expressed views and/or opinions (stated either within the electronic mail message or any of its 
attachments), are left at the sole discretion and responsibility of that of the sender, and are not necessarily 
attributed to Bob Radvanovsky.  Unauthorized interception, review, use, disclosure or distribution of any such 
information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited.  As 
this e-mail may be legally privileged and/or confidential and is intended only for the use of the addressee(s), no 
addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be 
viewed by any individual not originally listed as a recipient.  If the reader of this message is not the intended 
recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking 
of any action in reliance upon the information herein is strictly prohibited.  If you have received this communication 
in error, please notify the sender immediately, followed by the deletion of this or any related message. 




----- Original Message -----
From: Neil [mailto:neil () voidfx net]
To: Bob Radvanovsky [mailto:rsradvan () unixworks net]
Subject: Re: Pen-Test and Social Engineering


> I think you will find that in the process of making SE into a Science,
> you will be making it less effective than it is to an attacker, and thus
> misrepresenting the risk it entails.
>
> To make SE a science, which as you said would be repeatable and
> reproducible, you would have to remove aspects of social engineering
> that appeal to the target's emotions.  (The fact that if you keep
> someone in the same emotional state, their reaction to a stimulus should
> be the same becomes irrelevant because the fact is that people will not
> be in the same emotional state every time you pen-test.)  However,
> intruders would definitely not hesitate to capitalize on a person's
> emotions.
>
> So, at best, all you can say is: "Here is the results of social
> engineering during one day on our pen-test.  Be aware that if everyone
> was having a particularly good or bad day, this would not compensate for
> that, only the results of what we did that day."
>
> On 2/6/2006 9:23 PM, Bob Radvanovsky wrote:
> > Having observed many people's responses, I would like to make a comment...
> >
> > To me, "social engineering" may be considered as an artform of assessing
> risk through human interaction, as each and every individual conducting the
> SE has their own unique way or method of conducting an SE exercise.  To
> many, I have observed that "yes", it is considered a part of, or subset to,
> "penetration testing and analysis", focusing more entirely on the human
> aspects and factors of human interaction.  Thus, the terminology, by its
> very existence, is subjective to its audience based upon its perspective. 
> How it's interpretted, how it's utilized, what are the human traits and/or
> factors utilized to acquire or determine weakness, and of course, what are
> the eventual outcomes -- all of which play a decisive role in the outcome of
> the SE criteria.
> > To some, SE is nothing more than demonstrating prowisness of ones ability
> to (essentially) "dupe" or "con" another human.  To others, it's an
> interrogative function to acquire sensitive and/or valuable information in
> small bits and pieces, then re-assemble all the data fragments collectively
> into a (hopefully) fully-assembled data model once the data gathering
> function has been completed (also subjective, as deemed as being completed).
> > Thus, based upon its very nature as being subjective, it could be
> concluded that SE is not a part of, or subset to, penetration testing and
> analysis.  However, if someone were to define specifics weights, based upon
> an interrogative matrix (specific questions to be asked to targetted
> individuals, and the anticipated types of responses -- all are weighed),
> might similarly be concluded as being more objective, rather than
> subjective.  The federal government is very good at interrogative functions,
> esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.
> > So...though it may not to appear as conclusive, much of its very being
> depends upon how it is setup, how it is utilized, what are the expected or
> anticipated goals, and how is the information (once obtained) utilized --
> all of which may be considered a form of social testing of targetted or
> selected groups of individuals (and their affiliated organizations).  If the
> SE function is based upon a weighed criteria, then it could be considered
> moreso as a "science", rather than an "artform", and thus, may be construed
> as a part of, or subset to, a "penetration test and analysis" function;
> otherwise, it remains nothing more than an "artform", as its exact function
> would not be capable of an *exact* functional reproduction (meaning, can the
> exact or same criteria be reproduced each and every time, and can the
> outcome be predictably produced, using the same methods, each and every
> time?).  Until SE can be empowered moreso as a "science" with a
> reproducable, repeatable function eac
> h and every time, then I could see where people would not categorize "social
> engineering" as a part of, or subset to, a "penetration test".
> > Until SE may be conclusively defined into a "science", many organizations
> will never consider it nothing more than an "artform".
> > Bob Radvanovsky, CISM, CIFI, REM, CIPS
> > "knowledge squared is information shared"
> > rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
> > (630) 673-7740 | (412) 774-0373 (fax) 
> >
> > *** DISCLAIMER NOTICE ***
> > This electronic mail ("e-mail") message, including any and/or all
> attachments, is for the sole use of the intended recipient(s), and may
> contain confidential and/or privileged information, pertaining to business
> conducted under the direction and supervision of Bob Radvanovsky and/or his
> affiliates, as well as is the property of Bob Radvanovsky and/or his
> affiliates, or otherwise protected from disclosure.  All electronic mail
> messages, which may have been established as expressed views and/or opinions
> (stated either within the electronic mail message or any of its
> attachments), are left at the sole discretion and responsibility of that of
> the sender, and are not necessarily attributed to Bob Radvanovsky. 
> Unauthorized interception, review, use, disclosure or distribution of any
> such information contained within this electronic mail message and/or its
> attachment(s), is(are) strictly prohibited.  As this e-mail may be legally
> privileged and/or confidential and is intended on
> ly for the use of the addressee(s), no addressee should forward, print,
> copy, or otherwise reproduce this message in any manner that would allow it
> to be viewed by any individual not originally listed as a recipient.  If the
> reader of this message is not the intended recipient, you are hereby
> notified that any unauthorized disclosure, dissemination, distribution,
> copying or the taking of any action in reliance upon the information herein
> is strictly prohibited.  If you have received this communication in error,
> please notify the sender immediately, followed by the deletion of this or
> any related message. 
> > ----- Original Message -----
> > From: Steven [mailto:steven () lovebug org]
> > To: burzella () inwind it, pen-test () securityfocus com
> > Subject: Re: Pen-Test and Social Engineering
> >
> >
> > > I would definitely say that social engineering can be considered part of
> a 
> > > pen-test.  If you are able to get users to divulege information that
> assists
> > > you in compromising or gaining access to something, then you are doing 
> > > exactly what a real attacker would have been able to do.  You might be
> able 
> > > to trick them into telling you something via phone or e-mail, get them to
>
> > > physically do something like open a door or unlock a machine, or get them
> to
> > > run an executable or disable a firewall.  You might be able to get them
> to 
> > > do under false pretenses, through their own ignorance or carelessness, or
> by
> > > other means.  Whatever you do can be considered part of a pen-test.
> > >
> > > However, there are a few important things to keep in mind.  You want to 
> > > definitely lay down the ground rules with whomever it is you are
> pen-testing
> > > for.  They might just want to see what machines an exploit can break
> into. 
> > > You might really upset some people and get in trouble if you start trying
> to
> > > gain physical access or send trojans to executives.  Make sure they are 
> > > aware of what you are doing and that you have approval.  Get everything
> in 
> > > writing or in your agreement somewhere.
> > >
> > > Anyway - one word answer to the questions IMO is Yes.
> > >
> > > Steven
> > >
> > > ----- Original Message ----- 
> > > From: <burzella () inwind it>
> > > To: <pen-test () securityfocus com>
> > > Sent: Friday, February 03, 2006 9:03 AM
> > > Subject: Pen-Test and Social Engineering
> > >
> > >
> > > > Hi
> > > > In yuor opinion, can a Social Engineering test be considered part of a 
> > > > Pen-Test?
> > > >
> > > > Thanks
>
>
> -- 
> Neil.
> http://voidfx.net
> "Lord, grant me the strength to accept the things I cannot change, the
> courage to try to change the things I can, and the wisdom to hide the
> bodies of the people I had to kill because they pissed me off."
> --Anonymous

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------