Username: Save?
Password:
Home Forum Links Search Login Register*
    News: Welcome to the TechnoWorldInc! Community!
Recent Updates
[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[November 08, 2024, 04:31:03 PM]

[October 17, 2024, 05:05:06 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[October 17, 2024, 04:53:18 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]

[September 09, 2024, 12:27:25 PM]
Subscriptions
Get Latest Tech Updates For Free!
Resources
   Travelikers
   Funistan
   PrettyGalz
   Techlap
   FreeThemes
   Videsta
   Glamistan
   BachatMela
   GlamGalz
   Techzug
   Vidsage
   Funzug
   WorldHostInc
   Funfani
   FilmyMama
   Uploaded.Tech
   MegaPixelShop
   Netens
   Funotic
   FreeJobsInc
   FilesPark
Participate in the fastest growing Technical Encyclopedia! This website is 100% Free. Please register or login using the login box above if you have already registered. You will need to be logged in to reply, make new topics and to access all the areas. Registration is free! Click Here To Register.
+ Techno World Inc - The Best Technical Encyclopedia Online! » Forum » THE TECHNO CLUB [ TECHNOWORLDINC.COM ] » Ethical Hacking / Security / Viruses
 Should Social Engineering be a part of Penetration Testing?
Pages: [1]   Go Down
  Print  
Author Topic: Should Social Engineering be a part of Penetration Testing?  (Read 1398 times)
Admin
Administrator
Adv. Member
*****



Karma: 208
Offline Offline

Posts: 496

TWI Admin

159511729 vatsal2002 superwebchampz
View Profile WWW
Should Social Engineering be a part of Penetration Testing?
« Posted: October 08, 2006, 08:01:05 PM »


This is actually a very interesting debate.

Just to introduce if you don?t know..

What is Penetration Testing

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious cracker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Wikipedia

What is Social Engineering

It?s a bit cheesy, but we often call this hacking the wetware (hardware, software and wetware meaning people).

Social Engineering is a form of intrusion making use of weaknesses in the non-technical aspects of the system, the wetware also known as people. A common phrase would be ?Con man?, the most well known form of social engineering. In the technological realm, social engineering relates to unauthorized access of computing resources or network by exploiting human weaknesses.

In the historical sense con men would engineer their way into certain resources, someone?s bank account, shoe box under the bed and so on. In this context the social engineer would target someone that is authorized to use the network, or resource they wish to access and attempt to leverage some confidential information out of them that would compromise the network security.

This is what Mitnick was famous for, and what his book The Art of Deception is about.



I?ll probably cover this more later.

Does Social Engineering have a place in Penetration Testing?

Some people say yes, it?s the most effective way..Actually I?ve found this true, the human element and the lack of education in the workplace is often the weakest link in the chain.

Does it have any place in security testing, I would say definately yes. Some people would say perhaps it should be a seperate project, not in the ?technical? assessment of a security perimeter.

Or course it depends on the scope given by the client, but it should be part of any good Penetration Test or Vulnerability Assessment.



Why Social Engineering Should be in a Pen Test

For me whatever you do to get into the network, or escalate your access is part of a pen-test. If you are able to get users to divulge some kind of information that assists you in compromising or gaining access to something, then you are doing exactly what a real attacker would have been able to do. You might be able to trick them into telling you something via phone or e-mail, get them to physically do something like open a door or unlock a machine, or get them to run an executable or disable a firewall. You might be able to get them to do under false pretenses, through their own ignorance or carelessness, or by other means. Whatever you do can be considered part of a pen-test.

Many recent studies have shown people are still incredibly gullible and especially when presented with a ?Free CD? or something, they will happily put it in their drive and run it.

This mean in reality social engineering is an easy option to attack a network? no problem of IDS, no fear of being tracked by log analysis while attacking. Some attackers try to take out the information of network and internal devices bycalling the IT staff and pretending like a sales guy who is trying to sell a log analyzer or IDS. They will often say ?No we don?t need a new Firewall we already have a Cisco PIX?.

Why Social Engineering Shouldn?t be in a Pen Test

Some would say social engineering is a altogether a different game, the pen testing results could be used to socially engineer someone within the company, perhaps an extension of the pen-test rather than a part of it.

The target of the pen-test might be in a physically different location (Makes the SE more difficult) or the native language of the target may be different (Makes the SE pretty much impossibl).

Some people say don?t bother, because you WILL suceed with social engineering.

The main problem being technical testing is fairly scientific, you can apply metrics to it, you can measure it and you can track its effectiveness.

With social engineering, it?s still pretty much an artform and totally differs from person to person, it?s very hard to be scientific when it comes to conning people. Social Engineering may well be left out by large corporations unless it can be scientifically defined and metrics applied to it.



Things to Keep in Mind

However, there are a few important things to keep in mind. You want to definitely lay down the ground rules with whomever it is you are pen-testing for. They might just want to see what machines an exploit can break into. You might really upset some people and get in trouble if you start trying to gain physical access or send trojans to executives. Make sure they are aware of what you are doing and that you have approval. Get everything in writing or in your agreement somewhere.

Also there are many questions to be answered before doing an SE test - questions of legality, ethics and possible personal consequences for the people who were ?duped?. These have to be taken into consideration and could mean the social engineering part is not possible.

Please bear in mind the wellfare of the employees too, consider also adding a clause that protects the end-user from getting fired. Human nature is to be helpful, the problem is a lack of education, not a mistake from the user.

Summary

Social Engineering, you can include it or not based on the above information, if you don?t include it, you can always demonstrate it for information purposes to the management team or contact of the target organisation.

References: Discussion on SF Pen Test List

Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  

Copyright © 2006-2023 TechnoWorldInc.com. All Rights Reserved. Privacy Policy | Disclaimer
Page created in 0.183 seconds with 23 queries.