Re: Pen-Test and Social Engineering

From: Steven (steven@lovebug.org)
Date: Sun Feb 05 2006 - 13:20:07 EST


I would definitely say that social engineering can be considered part of a
pen-test. If you are able to get users to divulege information that assists
you in compromising or gaining access to something, then you are doing
exactly what a real attacker would have been able to do. You might be able
to trick them into telling you something via phone or e-mail, get them to
physically do something like open a door or unlock a machine, or get them to
run an executable or disable a firewall. You might be able to get them to
do under false pretenses, through their own ignorance or carelessness, or by
other means. Whatever you do can be considered part of a pen-test.

However, there are a few important things to keep in mind. You want to
definitely lay down the ground rules with whomever it is you are pen-testing
for. They might just want to see what machines an exploit can break into.
You might really upset some people and get in trouble if you start trying to
gain physical access or send trojans to executives. Make sure they are
aware of what you are doing and that you have approval. Get everything in
writing or in your agreement somewhere.

Anyway - one word answer to the questions IMO is Yes.

Steven

----- Original Message -----
From: <burzella@inwind.it>
To: <pen-test@securityfocus.com>
Sent: Friday, February 03, 2006 9:03 AM
Subject: Pen-Test and Social Engineering

> Hi
> In yuor opinion, can a Social Engineering test be considered part of a
> Pen-Test?
>
> Thanks
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:26 EDT