RE: Papers on Sex as an audit tool?

From: no-google (sendai@amerion.com)
Date: Thu Mar 11 2004 - 14:12:02 EST


Quite frankly if you need a paper on using sex as an audit tool, then
you're not going to be able to pull it off. I've used sexuality on many
occasions to both extract information and distract clients and I'm a
male. It's classic social engineering stuff: pick your target, dig for
the info you need if they have it and if not find out who does, repeat
as necessary until you get what you want. Note that I'm not talking
about sleeping with someone, but simple compliments and intimate
inferences will take you very far. Misdirection is your friend.

> -----Original Message-----
> From: Sriram Lakshmanan [mailto:SriramL@hclcomnet.co.in]
> Sent: Wednesday, March 10, 2004 3:47 AM
> To: 'Green, Neale S'; 'pen-test@securityfocus.com'
> Subject: RE: Papers on Sex as an audit tool?
>
> Really interesting Point. In my limited audit experience, yet to come
> across
> "fairer sex" being used to ferret info from clients. Although the
outputs
> of
> the audit exercise would continue to depend on the IT managers /
> administrators who need to apply their discretion while sharing
inputs,
> but
> As part of the pre-audit exercise, maybe the management needs to be
> advised
> as to what kind of information is required to be shared. IT managers
need
> to
> be made aware of any social engineering related drives (by any gender)
in
> the guise of "Audit".
>
> I'd be interested in the documents/publications towards the issue
(social
> engineering in general and using females for Audit in particular), if
any
> one has please let me know.
>
> Regards
> Sriram, CISSP
>
> NB: Views expressed here purely personal and have no bearing on the
> Organisation's work style / thought / policies.
>
> -----Original Message-----
> From: Green, Neale S [mailto:neale.green@eds.com]
> Sent: Wednesday, March 10, 2004 2:40 AM
> To: pen-test@securityfocus.com
> Subject: Papers on Sex as an audit tool?
>
>
>
> No, I'm not referring to the act ( as far as I know ), I'm referring
to
> the
> common practice of the Big Audit Firms (and others) to pepper/"flesh
out"
> their audit teams with young, attractive people (male and female, but
> predominantly female due to the predominantly male base of the IT
Industry
> )
> with little or no skills or experience in technical, security or audit
> fields, to get information more easily through taking the proven "sex
> sells"
> sales tool, and using it as a social engineering tool to more easily
get
> the
> information they want out of an organisation.
>
> This trend has been increasing for years, and I have been trying to
get
> the
> point across to our customers of what is happening, with little or no
> success, so I was wondering whether anyone knows of any papers on the
> subject that would help me get them to take it seriously.
>
> >From my observation, external audit teams quite easily get
information
> that
> they should not have access to ( or at most, controlled, monitored,
access
> ), by using the young, attractive, members of the team to charm it out
of
> the business or IT people who control the information. When queried on
the
> process issues, the business or IT people in question can very rarely,
if
> ever, see that they have been "played" and will invariably create
excuses
> as
> to why they gave out the restricted information so readily.
>
> Obviously, we have a scenario whereby the average person would much
rather
> believe that the people like them and/or are interested in them for
> themselves, and will refuse to accept that they have been used to get
what
> the outside parties want ( especially if they are ordinary, middle
aged,
> married men who's egos are titillated to have a young, attractive
appear
> to
> be interested in them, it is an unfortunate fact of life that many men
are
> susceptible to this ). The social engineering exercise and impact is
no
> less
> notable because the external audit firms are supposedly "white hats" (
or
> at
> most, Grey hats" ), rather than a "black hat" cracker who uses this
> mechanism for an outright attack, in that, no matter the final
outcome, a
> significant degree of deception and social engineering is involved.
>
> Therefore, given that it is almost impossible to gain acceptance of
the
> situation directly, and I have found no papers on the subject in
personal
> searches, I was interested whether others in the Security community
have
> any
> knowledge of papers on this subject?
>
> Thanking you in anticipation.
>
> NB: Standard disclaimer, the views expressed are personal views of the
> author, and are in no way indicative of the views or policies of EDS
as a
> Corporate entity.
>
> Regards,
>
> Neale Green CISSP
> Information Security
> Phone: +61 2 937 80225
> Mobile: 0414 979 627
> Fax: +61 2 9312 6116
> Email: neale.green@eds.com
>
>
>
------------------------------------------------------------------------

--
> -
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
> any course! All of our class sizes are guaranteed to be 10 students or
> less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
--
> --
> 
>
------------------------------------------------------------------------
--
> -
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
> any course! All of our class sizes are guaranteed to be 10 students or
> less
> to facilitate one-on-one interaction with one of our expert
instructors.
> Attend a course taught by an expert instructor with years of
in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your
organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
------------------------------------------------------------------------
--
> --
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT