From: Dhruv Soi (dhruv_ymca@yahoo.com)
Date: Mon Feb 06 2006 - 13:00:11 EST
In a real scenario, when some attacker wants to gain
access and there is a option to ask the passwords from
employees, then why to spend time in understanding,
scanning and exploiting the infra…. Same way if an
attacker can enter the premises of Target Company then
why to waste time in asking the password and
downloading the data. Wherein attacker can enter into
premises, detach the hard disk and take that away.
Looks crazy but that’s possible if the value of that
data in hard drive is known to attacker. Another
option suggested by KK about putting a wireless AP in
LAN and then roaming in target network by connecting
through laptop and sitting in car from parking area.
In any of above-mentioned attacks, network and threats
didn’t even come into picture and company might face
huge information/reputation/financial loss. And social
engineering is an easy option to attack a network… no
problem of IDS, no fear of being tracked by log
analysis while attacking. Some attackers try to take
out the information of network and internal devices by
calling the IT staff and pretending like a sales guy
who is trying to sell a log analyzer or IDS. There are
many other tricky options to utilize social
engineering……….
But yes there is an equal importance to security
health check of servers/network devices. You can’t
rely by securing yourself from only one of attacking
scenario (Social engineering, Network threats…). You
need to protect yourself both of the attacks.
Many companies educate their employees about social
engineering attacks including their front desk
officers, office boys, security guards etc. Moreover,
companies got policies in place about sharing of
credentials by employees. And companies get those
policy documents signed from their employees.
Including social engineering in pen-test one can
understand that the training that was provided to
employees didn’t go waste and employees are still in
compliance.
cheers!
-D
--- Ratna Kumar <ratnakumarch@visualsoft-tech.com>
wrote:
> Hi All,
>
> I agree with you all,but social engineering is a
> altogether a different
> game.
> It is possible to exploit an individual provided
> there is a threat on the
> target network?
> PT results can be used to build Social Engineering
> ??
>
>
> Thank you,
>
> Regards,
> Ratna Kumar
> ----- Original Message -----
> From: "Michael Mooney" <wolfiroc@earthlink.net>
> To: <burzella@inwind.it>;
> <pen-test@securityfocus.com>
> Sent: Monday, February 06, 2006 12:02 AM
> Subject: RE: Pen-Test and Social Engineering
>
>
> > Most certainly. Social engineering is an
> excellent way of doing a recon
> > of
> > your target. It's amazing that, despite all the
> press and warning, people
> > will still "give up" the information requested if
> you sound official or
> > appear to be helping them. Human nature, but
> human nature can help you
> > identify what can "kill" the system.
> >
> >
> >> [Original Message]
> >> From: <burzella@inwind.it>
> >> To: <pen-test@securityfocus.com>
> >> Date: 2/5/2006 1:02:07 PM
> >> Subject: Pen-Test and Social Engineering
> >>
> >> Hi
> >> In yuor opinion, can a Social Engineering test be
> considered part of a
> > Pen-Test?
> >>
> >> Thanks
> >>
> >>
> >
>
----------------------------------------------------------------------------
> > --
> >> Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >>
> >> Hackers are concentrating their efforts on
> attacking applications on your
> >> website. Up to 75% of cyber attacks are launched
> on shopping carts,
> > forms,
> >> login pages, dynamic content etc. Firewalls, SSL
> and locked-down servers
> > are
> >> futile against web application hacking. Check
> your website for
> > vulnerabilities
> >> to SQL injection, Cross site scripting and other
> web attacks before
> > hackers do!
> >> Download Trial at:
> >>
> >>
> http://www.securityfocus.com/sponsor/pen-test_050831
> >>
> >
>
----------------------------------------------------------------------------
> > ---
> >>
> >
> >
> >
> >
> >
>
------------------------------------------------------------------------------
> > Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on
> attacking applications on your
> > website. Up to 75% of cyber attacks are launched
> on shopping carts, forms,
> > login pages, dynamic content etc. Firewalls, SSL
> and locked-down servers
> > are
> > futile against web application hacking. Check your
> website for
> > vulnerabilities
> > to SQL injection, Cross site scripting and other
> web attacks before
> > hackers do!
> > Download Trial at:
> >
> >
> http://www.securityfocus.com/sponsor/pen-test_050831
> >
>
-------------------------------------------------------------------------------
> >
>
>
>
>
------------------------------------------------------------------------------
> Audit your website security with Acunetix Web
> Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your
> website. Up to 75% of cyber attacks are launched on
> shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are
> futile against web application hacking. Check your
> website for vulnerabilities
> to SQL injection, Cross site scripting and other web
> attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
>
-------------------------------------------------------------------------------
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT