From: Tim (pand0ra.usa@gmail.com)
Date: Mon Feb 06 2006 - 15:16:21 EST
I would agree with Louis on this. I have conducted SE with the client
many times ONLY as an informative demonstration. I always had at least
1 user give up a password or convinced them to change it to one I
knew. One thing I would suggest is that SE testing be included in the
scope otherwise you are going to head down the road of woe. That goes
for anything in a pentest, if it's not in the scope plan on talking to
lawyers for a while (or sharing a cell with Bubba). I think Kevin
Mitnick said once that everyone is subject to being socially
engineered, no matter who you are. My personal opinion is that SE
should be a part of the education process in an organization's
security training. I also think that if SE is done that you definitely
don't specify who passed or failed as that can generate some
hostilities within the organization. Like Louis said, metrics would be
a good way to go.
On 3 Feb 2006 14:03:18 -0000, burzella@inwind.it <burzella@inwind.it> wrote:
> Hi
> In yuor opinion, can a Social Engineering test be considered part of a Pen-Test?
>
> Thanks
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
Tim Van Cleave
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT