Penetration Testing mailing list archives
Re: Pen-Test and Social Engineering
From: Pete Herzog <lists () isecom org>
Date: Tue, 07 Feb 2006 00:18:19 +0100
Hi all, Bob Radvanovsky wrote: <snip>
Thus, based upon its very nature as being subjective, it could be concluded that SE is not a part of, or subset to, penetration testing and analysis. However, if someone were to define specifics weights, based upon an interrogative matrix (specific questions to be asked to targetted individuals, and the anticipated types of responses -- all are weighed), might similarly be concluded as being more objective, rather than subjective. The federal government is very good at interrogative functions, esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.
</snip> Very well said, Bob. HUMINT / Personnel Security Testing contains many tests but none that we refer to as Social Engineering in OSSTMM 3.0. And that is because, as you said, we found it to be nearly impossible to get objective, factual measurements from it that actually said more about the target than the tester. Furthermore, we require a lot to be documented of the environment and situation for the tests to be repeatable and therefore valid. A test cannot be said to have a valid conclusion if the process is not repeatable. Social engineering, like pen-testing itself, is a wake-up call type service to get the attention of a problem. But they are not valid tests and more often than not, they are a representation of the tester's skills and not the target's protection. As a wake-up call service, you pay to shake awake some of those asleep in the organization and get them to do something about security. But that something should be factual measurements of security operations which sets baselines and leads to improvements. To manage security you need to measure it. Check back at ISECOM (www.isecom.org) from time to time as we release more and more parts of OSSTMM 3.0 publicly or take part in one of the many free seminars that go on around the world to learn a little bit more about how to do things like a personnel security test that really means something more than "duping" people. Sincerely, -pete. www.isecom.org - www.isestorm.org ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Pen-Test and Social Engineering, (continued)
- Re: Pen-Test and Social Engineering Serg Belokamen (Feb 05)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 05)
- Re: Pen-Test and Social Engineering Tim (Feb 06)
- Re: Pen-Test and Social Engineering Francisco Pecorella (Feb 06)
- RE: Pen-Test and Social Engineering Michael Mooney (Feb 05)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering Dhruv Soi (Feb 06)
- RE: Pen-Test and Social Engineering Lyal Collins (Feb 07)
- Re: Pen-Test and Social Engineering Ratna Kumar (Feb 05)
- Re: Pen-Test and Social Engineering jalvare7 (Feb 06)
- Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 06)
- RE: Pen-Test and Social Engineering Erin Carroll (Feb 06)
- Re: Pen-Test and Social Engineering Fixer (Feb 06)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 07)
- RE: Pen-Test and Social Engineering Terry Vernon (Feb 07)
- RE: Pen-Test and Social Engineering Leif Ericksen (Feb 08)
- Re: Pen-Test and Social Engineering Pete Herzog (Feb 08)
- Re: Pen-Test and Social Engineering Volker Tanger (Feb 08)
- Re: Pen-Test and Social Engineering Leif Ericksen (Feb 09)