Re: Pen-Test and Social Engineering

[Neil <neil () voidfx net>]

You bring up a number of really good points.  I'm going to try to reply
to each point separately.

On 2/7/2006 12:24 AM, Bob Radvanovsky wrote:
> Not necessarily...you could *still* have questions within an anticipated range of expected answers.  If I ask 
> Question #1, I would expect to see potentially 4 to 6 (or however many) answers.  If the answers are not any of those 
> anticipated, mark them as not being outlined within the initial set of answers to Question #1.  This does not mean 
> that the answers are not validated, nor does it mean that you've lost the "human factor" to the outline. It simply 
> means that the answers were not anticipated and not within the range.  This allows for a more measured response to 
> any suite of questions asked, and thus, can show or pinpoint, through a series of these questions, whether the 
> individual is lying or telling the truth, or can contain any information about a vulnerability or risk.  I, 
> personally, forsee "social engineering" as being measured very similarly to that of the fictional "Voight-Kampf" 
> psychological assessment to determine targets as being "Replicants" (Nexus Generat
ion series Replicants) from the Movie, "Blade Runner" (ref: http://www.netipedia.com/index.php/Replicant and 
http://www.empireonline.com/forum/tm.asp?m=2267&mpage=4).
>
I think your technique (the expected answers, etc.) is very good, and
does begin to bridge the human-oriented side of an SE attack with the
arbitrary report-oriented side of pen-testing.

Hopefully your client has very specific policies about what to do in
potential SE attack (ie.  if someone asks for a password reset, ask
these questions, confirm them at this place, alert this person, and do
these things...), and you have access to them before you write your
report.  Otherwise you're still going to be making judgment calls over
what is a valid response and what isn't as you draw your
charts/stats/etc for the report.

> Again, see references about how the federal government has been doing it for years.  They've got it down to a set of 
> "scripts" such that questions have been written to be asked in such a manner as to provoke a certain response.  To 
> me, it's a form of plain and simple "interrogation" -- nothing more.  Thus, the thing that I feel differentiates 
> between an "interrogative interview" versus a "social engineering event" is that random, human factorization -- of 
> which, I would tend to agree with you, in that it might be very difficult to distinguish or (perhaps) differentiate 
> between as being a "science" versus an "artform".
>
> I guess my question would come down to this: How do psychologists interview people?  What they do is an 
> empracticement that is repeatable, as well as repetitive, and is weighed based upon certain criteria, or perhaps even 
> external influential factors that might determine that said individuals as being "<xxx>", right?  Would this not be 
> considered as a "soft(er) science", as there are often times, too many unknown factors that might negate or mitigate 
> their results, thus potentially skewing the end result or anticipated outcome?  Possibly.
(Lumping the above two together.)  The fact is, these are still not
definitive, there are still judgment calls made every day about the most
valid/accurate interpretation of what happens in those rooms.  Several
psychologists can hold sessions with the same person, and come to
different conclusions.  And again, you still have to account for
emotions and the like.  Lastly, psychologists don't always use scripts.
 They may decide, and have training, to follow where the patient leads them.

> And...with both circumstances, the net effect was obtained through a repeatable, reproducible process.  That is what 
> distinguishes it as being classified as a "science".  ;))
Yes, there are certain norms.  But in a pen-test, I don't think you
really can deal with norms.  You'd need each case to be reproducible, I
think.  But that's hard to do with humans.

I suppose if you want to be pragmatic, you should just look at the
bottom line: did you get in with a SE?
If yes: client has a problem.
If no: client might have a problem, but we couldn't find it.
Though I suppose that's not really the sort of results that really makes
a suit feel he got his money worth.  But it is the truth.

> Have I clarified my position on the matter, or does it appear that I've muddied them up further?
Sometimes you have to muddy up the river to find what you want at the
bottom...

> [snip]
>
>
> A colleague of mine pointed out that "social engineering" in of itself is neither an "artform" nor a "science", but 
> rather a precursorary measurement or determination of the state (or status) of a given scenario, such that its mere 
> determination usually would require *additional* investigation, thus in fact, might be construed as a "soft(er) 
> science".  This would draw about a conclusion to your statement that "social engineering" is a valid "tool" that is 
> utilized as a precursor for further investigative functions.  To that degree, I would agree with you, and thus, can 
> see the relevancy to your point.  Also, as a generalized statement, most "hackers" often rely upon intuition and "gut 
> instinct", but may be founded upon more concrete methods of thinking that are unexplainable to anyone outside of 
> their "inner circle", without establishing that there may or may not be foundations based on the methodologies used.  
> To me, because of the "human factor" is involved so often of t
imes, we refer to the "human factor" as the random, chaotic interactive state which exists within nature, representing 
the interaction between human and human kind, or human and animal kind.
>
On the contrary, because of the very unpredictability of SE, I would be
inclined to do everything I could as a pen-test without SE, record those
results.  And then start SE and see if that gets me any further in.
After all, a hole in the webserver is there.  It is a 'constant'
vulnerability.

SE, on the other hand, _is_ chaotic.  Maybe the target is usually very
conscious, but is in a rush that one day because his aging grandmother
is sick, and he thinks "Gee, I do this routine everyday, and  I've never
spoken to a hacker, so let me just skip it this time."  On the other
hand, maybe the target usually skips procedures, but got the feeling he
was about to be fired, and so is sticking by the book today.  Or maybe
its a temp today; who knows how that will change the situation?  You
can't account for those variables, and so building the pen-test off SE
makes the entire thing random, not just one aspect.  I would liken it to
the concept of significant figures in math.  You do everything to the
greatest accuracy possible, for the least possible doubt, and then at
the end you can make it less specific.

> In conclusion, I was merely stating an observation based upon how others may perceive it.  I seriously doubt that we 
> will be able to clearly define "social engineering" in a clear-cut manner without too much debate; there are just too 
> many factors involved which, depending on your level of perception, can go either way as being either a "science" or 
> an "artform", or in some circumstances, both.
Agreed.

-- 
Neil.
http://voidfx.net
"Make it idiot proof and someone will make a better idiot."
--Anonymous


> ----- Original Message -----
> From: Neil [mailto:neil () voidfx net]
> To: Bob Radvanovsky [mailto:rsradvan () unixworks net]
> Subject: Re: Pen-Test and Social Engineering
>
>
> > I think you will find that in the process of making SE into a Science,
> > you will be making it less effective than it is to an attacker, and thus
> > misrepresenting the risk it entails.
> >
> > To make SE a science, which as you said would be repeatable and
> > reproducible, you would have to remove aspects of social engineering
> > that appeal to the target's emotions.  (The fact that if you keep
> > someone in the same emotional state, their reaction to a stimulus should
> > be the same becomes irrelevant because the fact is that people will not
> > be in the same emotional state every time you pen-test.)  However,
> > intruders would definitely not hesitate to capitalize on a person's
> > emotions.
> >
> > So, at best, all you can say is: "Here is the results of social
> > engineering during one day on our pen-test.  Be aware that if everyone
> > was having a particularly good or bad day, this would not compensate for
> > that, only the results of what we did that day."
> >
> > On 2/6/2006 9:23 PM, Bob Radvanovsky wrote:
> > > Having observed many people's responses, I would like to make a comment...
> > >
> > > To me, "social engineering" may be considered as an artform of assessing
> > risk through human interaction, as each and every individual conducting the
> > SE has their own unique way or method of conducting an SE exercise.  To
> > many, I have observed that "yes", it is considered a part of, or subset to,
> > "penetration testing and analysis", focusing more entirely on the human
> > aspects and factors of human interaction.  Thus, the terminology, by its
> > very existence, is subjective to its audience based upon its perspective. 
> > How it's interpretted, how it's utilized, what are the human traits and/or
> > factors utilized to acquire or determine weakness, and of course, what are
> > the eventual outcomes -- all of which play a decisive role in the outcome of
> > the SE criteria.
> > > To some, SE is nothing more than demonstrating prowisness of ones ability
> > to (essentially) "dupe" or "con" another human.  To others, it's an
> > interrogative function to acquire sensitive and/or valuable information in
> > small bits and pieces, then re-assemble all the data fragments collectively
> > into a (hopefully) fully-assembled data model once the data gathering
> > function has been completed (also subjective, as deemed as being completed).
> > > Thus, based upon its very nature as being subjective, it could be
> > concluded that SE is not a part of, or subset to, penetration testing and
> > analysis.  However, if someone were to define specifics weights, based upon
> > an interrogative matrix (specific questions to be asked to targetted
> > individuals, and the anticipated types of responses -- all are weighed),
> > might similarly be concluded as being more objective, rather than
> > subjective.  The federal government is very good at interrogative functions,
> > esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.
> > > So...though it may not to appear as conclusive, much of its very being
> > depends upon how it is setup, how it is utilized, what are the expected or
> > anticipated goals, and how is the information (once obtained) utilized --
> > all of which may be considered a form of social testing of targetted or
> > selected groups of individuals (and their affiliated organizations).  If the
> > SE function is based upon a weighed criteria, then it could be considered
> > moreso as a "science", rather than an "artform", and thus, may be construed
> > as a part of, or subset to, a "penetration test and analysis" function;
> > otherwise, it remains nothing more than an "artform", as its exact function
> > would not be capable of an *exact* functional reproduction (meaning, can the
> > exact or same criteria be reproduced each and every time, and can the
> > outcome be predictably produced, using the same methods, each and every
> > time?).  Until SE can be empowered moreso as a "science" with a
> > reproducable, repeatable function eac
> > h and every time, then I could see where people would not categorize "social
> > engineering" as a part of, or subset to, a "penetration test".
> > > Until SE may be conclusively defined into a "science", many organizations
> > will never consider it nothing more than an "artform".
> > > Bob Radvanovsky, CISM, CIFI, REM, CIPS
> > > "knowledge squared is information shared"
> > > rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
> > > (630) 673-7740 | (412) 774-0373 (fax) 
> > >
> > >
> > > ----- Original Message -----
> > > From: Steven [mailto:steven () lovebug org]
> > > To: burzella () inwind it, pen-test () securityfocus com
> > > Subject: Re: Pen-Test and Social Engineering
> > >
> > >
> > > > I would definitely say that social engineering can be considered part of
> > a 
> > > > pen-test.  If you are able to get users to divulege information that
> > assists
> > > > you in compromising or gaining access to something, then you are doing 
> > > > exactly what a real attacker would have been able to do.  You might be
> > able 
> > > > to trick them into telling you something via phone or e-mail, get them to
> > > > physically do something like open a door or unlock a machine, or get them
> > to
> > > > run an executable or disable a firewall.  You might be able to get them
> > to 
> > > > do under false pretenses, through their own ignorance or carelessness, or
> > by
> > > > other means.  Whatever you do can be considered part of a pen-test.
> > > >
> > > > However, there are a few important things to keep in mind.  You want to 
> > > > definitely lay down the ground rules with whomever it is you are
> > pen-testing
> > > > for.  They might just want to see what machines an exploit can break
> > into. 
> > > > You might really upset some people and get in trouble if you start trying
> > to
> > > > gain physical access or send trojans to executives.  Make sure they are 
> > > > aware of what you are doing and that you have approval.  Get everything
> > in 
> > > > writing or in your agreement somewhere.
> > > >
> > > > Anyway - one word answer to the questions IMO is Yes.
> > > >
> > > > Steven
> > > >
> > > > ----- Original Message ----- 
> > > > From: <burzella () inwind it>
> > > > To: <pen-test () securityfocus com>
> > > > Sent: Friday, February 03, 2006 9:03 AM
> > > > Subject: Pen-Test and Social Engineering
> > > >
> > > >
> > > > > Hi
> > > > > In yuor opinion, can a Social Engineering test be considered part of a 
> > > > > Pen-Test?
> > > > >
> > > > > Thanks

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------