From: Bob Radvanovsky (rsradvan@unixworks.net)
Date: Mon Feb 06 2006 - 10:53:02 EST
Having observed many people's responses, I would like to make a comment...
To me, "social engineering" may be considered as an artform of assessing risk through human interaction, as each and every individual conducting the SE has their own unique way or method of conducting an SE exercise. To many, I have observed that "yes", it is considered a part of, or subset to, "penetration testing and analysis", focusing more entirely on the human aspects and factors of human interaction. Thus, the terminology, by its very existence, is subjective to its audience based upon its perspective. How it's interpretted, how it's utilized, what are the human traits and/or factors utilized to acquire or determine weakness, and of course, what are the eventual outcomes -- all of which play a decisive role in the outcome of the SE criteria.
To some, SE is nothing more than demonstrating prowisness of ones ability to (essentially) "dupe" or "con" another human. To others, it's an interrogative function to acquire sensitive and/or valuable information in small bits and pieces, then re-assemble all the data fragments collectively into a (hopefully) fully-assembled data model once the data gathering function has been completed (also subjective, as deemed as being completed).
Thus, based upon its very nature as being subjective, it could be concluded that SE is not a part of, or subset to, penetration testing and analysis. However, if someone were to define specifics weights, based upon an interrogative matrix (specific questions to be asked to targetted individuals, and the anticipated types of responses -- all are weighed), might similarly be concluded as being more objective, rather than subjective. The federal government is very good at interrogative functions, esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.
So...though it may not to appear as conclusive, much of its very being depends upon how it is setup, how it is utilized, what are the expected or anticipated goals, and how is the information (once obtained) utilized -- all of which may be considered a form of social testing of targetted or selected groups of individuals (and their affiliated organizations). If the SE function is based upon a weighed criteria, then it could be considered moreso as a "science", rather than an "artform", and thus, may be construed as a part of, or subset to, a "penetration test and analysis" function; otherwise, it remains nothing more than an "artform", as its exact function would not be capable of an *exact* functional reproduction (meaning, can the exact or same criteria be reproduced each and every time, and can the outcome be predictably produced, using the same methods, each and every time?). Until SE can be empowered moreso as a "science" with a reproducable, repeatable function each and every time, then I could see w
here people would not categorize "social engineering" as a part of, or subset to, a "penetration test".
Until SE may be conclusively defined into a "science", many organizations will never consider it nothing more than an "artform".
Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax)
*** DISCLAIMER NOTICE ***
This electronic mail ("e-mail") message, including any and/or all attachments, is for the sole use of the intended recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the direction and supervision of Bob Radvanovsky and/or his affiliates, as well as is the property of Bob Radvanovsky and/or his affiliates, or otherwise protected from disclosure. All electronic mail messages, which may have been established as expressed views and/or opinions (stated either within the electronic mail message or any of its attachments), are left at the sole discretion and responsibility of that of the sender, and are not necessarily attributed to Bob Radvanovsky. Unauthorized interception, review, use, disclosure or distribution of any such information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited. As this e-mail may be legally privileged and/or confidential and is intended only for the use of the addressee(s),
no addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance upon the information herein is strictly prohibited. If you have received this communication in error, please notify the sender immediately, followed by the deletion of this or any related message.
----- Original Message -----
From: Steven [mailto:steven@lovebug.org]
To: burzella@inwind.it, pen-test@securityfocus.com
Subject: Re: Pen-Test and Social Engineering
> I would definitely say that social engineering can be considered part of a
> pen-test. If you are able to get users to divulege information that assists
>
> you in compromising or gaining access to something, then you are doing
> exactly what a real attacker would have been able to do. You might be able
> to trick them into telling you something via phone or e-mail, get them to
> physically do something like open a door or unlock a machine, or get them to
>
> run an executable or disable a firewall. You might be able to get them to
> do under false pretenses, through their own ignorance or carelessness, or by
>
> other means. Whatever you do can be considered part of a pen-test.
>
> However, there are a few important things to keep in mind. You want to
> definitely lay down the ground rules with whomever it is you are pen-testing
>
> for. They might just want to see what machines an exploit can break into.
> You might really upset some people and get in trouble if you start trying to
>
> gain physical access or send trojans to executives. Make sure they are
> aware of what you are doing and that you have approval. Get everything in
> writing or in your agreement somewhere.
>
> Anyway - one word answer to the questions IMO is Yes.
>
> Steven
>
> ----- Original Message -----
> From: <burzella@inwind.it>
> To: <pen-test@securityfocus.com>
> Sent: Friday, February 03, 2006 9:03 AM
> Subject: Pen-Test and Social Engineering
>
>
> > Hi
> > In yuor opinion, can a Social Engineering test be considered part of a
> > Pen-Test?
> >
> > Thanks
> >
> >
> ------------------------------------------------------------------------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on your
> > website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> > login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> > are
> > futile against web application hacking. Check your website for
> > vulnerabilities
> > to SQL injection, Cross site scripting and other web attacks before
> > hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> >
> -------------------------------------------------------------------------------
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers
> do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT