From: countz3r0@cox.net
Date: Thu Mar 11 2004 - 09:44:56 EST
I've come across this with one organization. They have two attractive people (1 male 1 female) that perform the data gathering for their audits. One of my former co-workers was giving away the farm. I'm just jaded enough to see right through it.
>
> From: Sriram Lakshmanan <SriramL@hclcomnet.co.in>
> Date: 2004/03/10 Wed AM 03:47:07 EST
> To: "'Green, Neale S'" <neale.green@eds.com>,
> "'pen-test@securityfocus.com'" <pen-test@securityfocus.com>
> Subject: RE: Papers on Sex as an audit tool?
>
> Really interesting Point. In my limited audit experience, yet to come across
> "fairer sex" being used to ferret info from clients. Although the outputs of
> the audit exercise would continue to depend on the IT managers /
> administrators who need to apply their discretion while sharing inputs, but
> As part of the pre-audit exercise, maybe the management needs to be advised
> as to what kind of information is required to be shared. IT managers need to
> be made aware of any social engineering related drives (by any gender) in
> the guise of "Audit".
>
> I'd be interested in the documents/publications towards the issue (social
> engineering in general and using females for Audit in particular), if any
> one has please let me know.
>
> Regards
> Sriram, CISSP
>
> NB: Views expressed here purely personal and have no bearing on the
> Organisation's work style / thought / policies.
>
> -----Original Message-----
> From: Green, Neale S [mailto:neale.green@eds.com]
> Sent: Wednesday, March 10, 2004 2:40 AM
> To: pen-test@securityfocus.com
> Subject: Papers on Sex as an audit tool?
>
>
>
> No, I'm not referring to the act ( as far as I know ), I'm referring to the
> common practice of the Big Audit Firms (and others) to pepper/"flesh out"
> their audit teams with young, attractive people (male and female, but
> predominantly female due to the predominantly male base of the IT Industry )
> with little or no skills or experience in technical, security or audit
> fields, to get information more easily through taking the proven "sex sells"
> sales tool, and using it as a social engineering tool to more easily get the
> information they want out of an organisation.
>
> This trend has been increasing for years, and I have been trying to get the
> point across to our customers of what is happening, with little or no
> success, so I was wondering whether anyone knows of any papers on the
> subject that would help me get them to take it seriously.
>
> From my observation, external audit teams quite easily get information that
> they should not have access to ( or at most, controlled, monitored, access
> ), by using the young, attractive, members of the team to charm it out of
> the business or IT people who control the information. When queried on the
> process issues, the business or IT people in question can very rarely, if
> ever, see that they have been "played" and will invariably create excuses as
> to why they gave out the restricted information so readily.
>
> Obviously, we have a scenario whereby the average person would much rather
> believe that the people like them and/or are interested in them for
> themselves, and will refuse to accept that they have been used to get what
> the outside parties want ( especially if they are ordinary, middle aged,
> married men who's egos are titillated to have a young, attractive appear to
> be interested in them, it is an unfortunate fact of life that many men are
> susceptible to this ). The social engineering exercise and impact is no less
> notable because the external audit firms are supposedly "white hats" ( or at
> most, Grey hats" ), rather than a "black hat" cracker who uses this
> mechanism for an outright attack, in that, no matter the final outcome, a
> significant degree of deception and social engineering is involved.
>
> Therefore, given that it is almost impossible to gain acceptance of the
> situation directly, and I have found no papers on the subject in personal
> searches, I was interested whether others in the Security community have any
> knowledge of papers on this subject?
>
> Thanking you in anticipation.
>
> NB: Standard disclaimer, the views expressed are personal views of the
> author, and are in no way indicative of the views or policies of EDS as a
> Corporate entity.
>
> Regards,
>
> Neale Green CISSP
> Information Security
> Phone: +61 2 937 80225
> Mobile: 0414 979 627
> Fax: +61 2 9312 6116
> Email: neale.green@eds.com
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT