Re: Penetration Testing - Human Factor

From: K K Mookhey (kkmookhey@gmail.com)
Date: Wed Aug 23 2006 - 16:27:09 EDT

• Next message: Robert D. Holtz - Lists: "RE: Penetration Testing - Human Factor"
• Previous message: Joey Peloquin: "Re: Penetration Testing - Human Factor"
• Maybe in reply to: Marios A. Spinthiras: "Penetration Testing - Human Factor"
• Next in thread: Robert D. Holtz - Lists: "RE: Penetration Testing - Human Factor"
• Reply: Robert D. Holtz - Lists: "RE: Penetration Testing - Human Factor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Isn't it also about the fact that people are very hesitant to report
incidents where they've been taken for a ride, and more willing to admit
technical goof ups such as not applying a patch?

We've offered clients social engineering attacks as part of pen-tests,
and have found takers for these too. Having said that, I think
targeted financial fraud leveraging computer systems usually happens
with a very strong component of social engineering, whereas regular
hacking (with possible financial results) is usually almost purely
technical.

Just my 2c.

KK

> On 8/23/06, Joey Peloquin <joeyp@cotse.net> wrote:
> > KeenerPB@mcnosc.usmc.mil wrote:
> > > I would disagree with Arian regarding the technical aspects of "true"
> > > hacking...in my experience, social engineering plays a huge role in
> > > successful compromise of a network. Most of the time the boundaries are
> > > pretty tight so you have to lob one over the fence (social engineering) in
> > > order to punch out from the inside to defeat the boundary devices.
> >
> > All due respect, I'm both an Enterprise pen-test customer and an internal
> > pen-tester at the same company, and I don't see social engineering on the
> > radar at all, save a mention as part of our security awareness program.
> >
> > How many enterprises do you all contract with that *actually* include social
> > engineering, and the like, in the scope? We've paid as much as 40K for an
> > engagement and it didn't include social engineering.
> >
> > -jp
> >
> > ------------------------------------------------------------------------
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php
> > ------------------------------------------------------------------------
> >
> >
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Robert D. Holtz - Lists: "RE: Penetration Testing - Human Factor"
• Previous message: Joey Peloquin: "Re: Penetration Testing - Human Factor"
• Maybe in reply to: Marios A. Spinthiras: "Penetration Testing - Human Factor"
• Next in thread: Robert D. Holtz - Lists: "RE: Penetration Testing - Human Factor"
• Reply: Robert D. Holtz - Lists: "RE: Penetration Testing - Human Factor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:48 EDT