From: Lyal Collins (lyal.collins@key2it.com.au)
Date: Tue Feb 07 2006 - 01:54:29 EST
Just my 20 cents worth...
Not all attackers are created equal, nor do they think the same way.
Many attackers prefer to remain 'invisible' if possible, avoiding or
minimising the likelihood of being caught and successfully
prosecuted/disciplined - a distinctly higher risk in SE situations.
Many but not all SE attacks require a presence in the same town, building,
floor, or even office area.
This increases the risk of being caught on prosecuted - the physicial
evidence is much easier to collect and present to a court
Often, a good command of the target company's spoken language (English,
Italian, French etc) is essential to 'fit in' sufficiently for the attack.
As part of the risk profile of the company, SE is just one avenue of attack
to be mitigated.
If SE becomes too hard, then attacks prevalence wills wing to non-SE
methods.
Lyal
-----Original Message-----
From: Dhruv Soi [mailto:dhruv_ymca@yahoo.com]
Sent: Tuesday, 7 February 2006 5:00 AM
To: Ratna Kumar; wolfiroc@earthlink.net; burzella@inwind.it;
pen-test@securityfocus.com
Subject: Re: Pen-Test and Social Engineering
In a real scenario, when some attacker wants to gain
access and there is a option to ask the passwords from employees, then why
to spend time in understanding, scanning and exploiting the infra.. Same way
if an attacker can enter the premises of Target Company then why to waste
time in asking the password and downloading the data. Wherein attacker can
enter into premises, detach the hard disk and take that away. Looks crazy
but that's possible if the value of that data in hard drive is known to
attacker. Another option suggested by KK about putting a wireless AP in LAN
and then roaming in target network by connecting through laptop and sitting
in car from parking area.
In any of above-mentioned attacks, network and threats
didn't even come into picture and company might face
huge information/reputation/financial loss. And social engineering is an
easy option to attack a network. no problem of IDS, no fear of being tracked
by log analysis while attacking. Some attackers try to take out the
information of network and internal devices by calling the IT staff and
pretending like a sales guy who is trying to sell a log analyzer or IDS.
There are many other tricky options to utilize social engineering....
But yes there is an equal importance to security
health check of servers/network devices. You can't
rely by securing yourself from only one of attacking
scenario (Social engineering, Network threats.). You
need to protect yourself both of the attacks.
Many companies educate their employees about social
engineering attacks including their front desk
officers, office boys, security guards etc. Moreover,
companies got policies in place about sharing of
credentials by employees. And companies get those
policy documents signed from their employees.
Including social engineering in pen-test one can
understand that the training that was provided to
employees didn't go waste and employees are still in compliance.
cheers!
-D
--- Ratna Kumar <ratnakumarch@visualsoft-tech.com>
wrote:
> Hi All,
>
> I agree with you all,but social engineering is a
> altogether a different
> game.
> It is possible to exploit an individual provided
> there is a threat on the
> target network?
> PT results can be used to build Social Engineering
> ??
>
>
> Thank you,
>
> Regards,
> Ratna Kumar
> ----- Original Message -----
> From: "Michael Mooney" <wolfiroc@earthlink.net>
> To: <burzella@inwind.it>;
> <pen-test@securityfocus.com>
> Sent: Monday, February 06, 2006 12:02 AM
> Subject: RE: Pen-Test and Social Engineering
>
>
> > Most certainly. Social engineering is an
> excellent way of doing a recon
> > of
> > your target. It's amazing that, despite all the
> press and warning, people
> > will still "give up" the information requested if
> you sound official or
> > appear to be helping them. Human nature, but
> human nature can help you
> > identify what can "kill" the system.
> >
> >
> >> [Original Message]
> >> From: <burzella@inwind.it>
> >> To: <pen-test@securityfocus.com>
> >> Date: 2/5/2006 1:02:07 PM
> >> Subject: Pen-Test and Social Engineering
> >>
> >> Hi
> >> In yuor opinion, can a Social Engineering test be
> considered part of a
> > Pen-Test?
> >>
> >> Thanks
> >>
> >>
> >
>
----------------------------------------------------------------------------
> > --
> >> Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >>
> >> Hackers are concentrating their efforts on
> attacking applications on your
> >> website. Up to 75% of cyber attacks are launched
> on shopping carts,
> > forms,
> >> login pages, dynamic content etc. Firewalls, SSL
> and locked-down servers
> > are
> >> futile against web application hacking. Check
> your website for
> > vulnerabilities
> >> to SQL injection, Cross site scripting and other
> web attacks before
> > hackers do!
> >> Download Trial at:
> >>
> >>
> http://www.securityfocus.com/sponsor/pen-test_050831
> >>
> >
>
----------------------------------------------------------------------------
> > ---
> >>
> >
> >
> >
> >
> >
>
----------------------------------------------------------------------------
-- > > Audit your website security with Acunetix Web > Vulnerability Scanner: > > > > Hackers are concentrating their efforts on > attacking applications on your > > website. Up to 75% of cyber attacks are launched > on shopping carts, forms, > > login pages, dynamic content etc. Firewalls, SSL > and locked-down servers > > are > > futile against web application hacking. Check your > website for > > vulnerabilities > > to SQL injection, Cross site scripting and other > web attacks before > > hackers do! > > Download Trial at: > > > > > http://www.securityfocus.com/sponsor/pen-test_050831 > > > ---------------------------------------------------------------------------- --- > > > > > > ---------------------------------------------------------------------------- -- > Audit your website security with Acunetix Web > Vulnerability Scanner: > > Hackers are concentrating their efforts on attacking applications on > your website. Up to 75% of cyber attacks are launched on > shopping carts, forms, > login pages, dynamic content etc. Firewalls, SSL and > locked-down servers are > futile against web application hacking. Check your > website for vulnerabilities > to SQL injection, Cross site scripting and other web > attacks before hackers do! > Download Trial at: > > http://www.securityfocus.com/sponsor/pen-test_050831 > ---------------------------------------------------------------------------- --- > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT