From: Pete Herzog (lists@isecom.org)
Date: Mon Feb 06 2006 - 18:18:19 EST
Hi all,
Bob Radvanovsky wrote:
<snip>
> Thus, based upon its very nature as being subjective, it could be concluded that SE is not a part of, or subset to, penetration testing and analysis. However, if someone were to define specifics weights, based upon an interrogative matrix (specific questions to be asked to targetted individuals, and the anticipated types of responses -- all are weighed), might similarly be concluded as being more objective, rather than subjective. The federal government is very good at interrogative functions, esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.
</snip>
Very well said, Bob. HUMINT / Personnel Security Testing contains many
tests but none that we refer to as Social Engineering in OSSTMM 3.0.
And that is because, as you said, we found it to be nearly impossible to
get objective, factual measurements from it that actually said more
about the target than the tester. Furthermore, we require a lot to be
documented of the environment and situation for the tests to be
repeatable and therefore valid. A test cannot be said to have a valid
conclusion if the process is not repeatable.
Social engineering, like pen-testing itself, is a wake-up call type
service to get the attention of a problem. But they are not valid tests
and more often than not, they are a representation of the tester's
skills and not the target's protection. As a wake-up call service, you
pay to shake awake some of those asleep in the organization and get them
to do something about security. But that something should be factual
measurements of security operations which sets baselines and leads to
improvements. To manage security you need to measure it.
Check back at ISECOM (www.isecom.org) from time to time as we release
more and more parts of OSSTMM 3.0 publicly or take part in one of the
many free seminars that go on around the world to learn a little bit
more about how to do things like a personnel security test that really
means something more than "duping" people.
Sincerely,
-pete.
www.isecom.org - www.isestorm.org
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT