RE: Papers on Sex as an audit tool?

From: Botwick, Jason (GEI, MORT, Contractor) (Jason.Botwick@ge.com)
Date: Tue Mar 09 2004 - 17:27:44 EST


I'd be surprised (but very interested) if there were papers like this
specifically related to security auditing & pen testing. But there is tons
of psych-soc literature that addresses the issue in more generalized ways,
plus there's plenty of info on social engineering in general.

The subject is interesting for a number of obvious reasons, but also because
of the delicacy with which it would need to be broached with the players on
both sides of a real-life "incident". There are a couple of Dilbert cartoons
in here somewhere.

It bet it does happen on purpose, but I have to say that a lot of auditors
I've dealt with in the past are recent college grads, and therefore young,
and therefore somewhat more likely to be attractive to older men, so that
might be a bit of a confound. Conversely, I've also dealt with auditors who
weren't much to look at and also weren't particularly well-versed (if not
downright ignorant) in the subject of their auditing.

Or maybe it was just easier for me to notice. :)

-----Original Message-----
From: Green, Neale S [mailto:neale.green@eds.com]
Sent: Tuesday, March 09, 2004 4:10 PM
To: pen-test@securityfocus.com
Subject: Papers on Sex as an audit tool?

No, I'm not referring to the act ( as far as I know ), I'm referring to the
common practice of the Big Audit Firms (and others) to pepper/"flesh out"
their audit teams with young, attractive people (male and female, but
predominantly female due to the predominantly male base of the IT Industry )
with little or no skills or experience in technical, security or audit
fields, to get information more easily through taking the proven "sex sells"
sales tool, and using it as a social engineering tool to more easily get the
information they want out of an organisation.

This trend has been increasing for years, and I have been trying to get the
point across to our customers of what is happening, with little or no
success, so I was wondering whether anyone knows of any papers on the
subject that would help me get them to take it seriously.

>From my observation, external audit teams quite easily get information that
they should not have access to ( or at most, controlled, monitored, access
), by using the young, attractive, members of the team to charm it out of
the business or IT people who control the information. When queried on the
process issues, the business or IT people in question can very rarely, if
ever, see that they have been "played" and will invariably create excuses as
to why they gave out the restricted information so readily.

Obviously, we have a scenario whereby the average person would much rather
believe that the people like them and/or are interested in them for
themselves, and will refuse to accept that they have been used to get what
the outside parties want ( especially if they are ordinary, middle aged,
married men who's egos are titillated to have a young, attractive appear to
be interested in them, it is an unfortunate fact of life that many men are
susceptible to this ). The social engineering exercise and impact is no less
notable because the external audit firms are supposedly "white hats" ( or at
most, Grey hats" ), rather than a "black hat" cracker who uses this
mechanism for an outright attack, in that, no matter the final outcome, a
significant degree of deception and social engineering is involved.

Therefore, given that it is almost impossible to gain acceptance of the
situation directly, and I have found no papers on the subject in personal
searches, I was interested whether others in the Security community have any
knowledge of papers on this subject?

Thanking you in anticipation.

NB: Standard disclaimer, the views expressed are personal views of the
author, and are in no way indicative of the views or policies of EDS as a
Corporate entity.

Regards,

Neale Green CISSP
Information Security
Phone: +61 2 937 80225
Mobile: 0414 979 627
Fax: +61 2 9312 6116
Email: neale.green@eds.com

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT