From: Petr.Kazil@eap.nl
Date: Sun Feb 05 2006 - 14:07:11 EST
> In your opinion, can a Social Engineering test be considered part of
> a Pen-Test?
In my circles the opinions are divided on this subject:
- Some of my colleagues include a social engineering test in their
pentests, and they summarize their experience as "it always succeeds".
- When I proposed a SE-test to one security officer his response was: "not
really necessary, because I can predict the answer already: you will
succeed". (!)
- Other colleagues say: "we do physical penetration tests, but for legal
reasons we're not allowed to tell lies during such a test, so we can't do
SE tests".
- There are many questions to be answered before doing an SE test -
questions of legality, ethics and possible personal consequences for the
people who were "duped".
- Therefore I never really tried getting permission for a SE test, because
I didn't want to plow my way through all the boards and departments
(security, IT, legal, human resources). And I think a good SE attack
requires special acting and improvisation talents (like the "Talented Mr.
Ripley") that I certainly don't have.
Personally I would like to do the following "soft" SE-test (as part of a
pentest) and would be very curious about the outcome:
1) For "company X" harvest 100 e-mail adresses from Google.
2) Send a spam-like mail to all the adresses, inviting them to download
the great "cuddly animals screensaver".
3) Include a personalized link in each spam mail like:
http:/webserver/123/animal_screensaver
4) Count how many persons tried to download the screensaver.
Has anyone ever tried something like this? This could be part of a
security awareness campaign.
I tried it out on our (two) secretaries and one of them still has the
screensaver running on her desktop :-)
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:26 EDT