From: Paul Melson (pmelson@gmail.com)
Date: Mon Aug 21 2006 - 16:50:06 EDT
-----Original Message-----
Subject: Penetration Testing - Human Factor
> As a thorough sceptic Id like to conclude in most cases of a TRUE hacking
incident social engineering
> has been a factor of success for the malicious user attacking a system.
My experience has been just the opposite, but I do allow for the possibility
that you've got some movie-plot notion of what constitutes a "TRUE hacking
incident."
Most of the hacking incidents that I've encountered have fallen into one of
the following categories.
A) The system was connected to the Internet and inadequately hardened or
protected by a firewall.
B) There was a previously unknown vulnerability that an attacker exploited
(think web-app stuff as opposed to kr@d lee+ 0dayz).
C) The system compromise began with a benignly-intentioned user behaving
badly (installing rogue software, opening attachments from strangers, etc.)
I do acknowledge that the third scenario may involve some elements of social
engineering, but it was always used in conjunction with malicious code of
some sort. I have never investigated an attack, nor have I heard of an
actual live attack, in which someone with access to sensitive information
gave up their password to a hacker. So while they probably happen, they are
also probably not "most cases".
Social engineering (aka "a con") isn't as attractive a means of attacking
computers as it would seem. In my experience, most focused and targeted
attacks involve some degree of an insider element. In these cases, social
engineering may not be necessary - the insider often has some or all of the
privileges necessary to access sensitive systems. In more random attacks,
social engineering is time-consuming and risky.
> For quite a while now I have been compiling methodology on the
assessment of the weak human security
> link which can be exploited through social engineering. Has anyone got any
thoughts they would like to
> share or guidelines to the audit of the human factor when security is
concerned?
>
> Any information is much apreciated.
Yes, any assessment of an organization's vulnerability to social engineering
attacks must be audited against the organization's controls, specifically
procedural controls. If an organization lacks said controls, an assessment
is meaningless - it should be assumed that social engineering will
eventually be successful. Once that requirement has been met, you can
assess how often procedure is followed and, if it is followed sufficiently,
how effective it is.
PaulM
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:46 EDT