From: Leif Ericksen (leife@dls.net)
Date: Thu Feb 09 2006 - 10:09:20 EST
But of course I left many items off I was just trying to hit the
highlights. ;) So how many other folks on this list are seeing this as
a possible old farts VS Young bucks train of thought? The old farts
want to use finesse and grace using a calculated approach and "hack" at
the problem until they are given a solution while the young bucks seem
to want some sort of covert operation come in guns a blazing dropping
out of the ceiling as depicted in the Hollwe oops.. Hollywood movies
that we see these days. War Games VS Hackers VS Bond VS Matrix?.
No offense intended here but we should stay on focus with a
securityfocus mind here.
It takes a special type of person to be a social engineer, after all for
those that can get discovery channel and watch dirty jobs every watch
the episode that reveals that the Septic Tank Tech was a psychologist
prior to the tank technician and was tired of other peoples crap so he
started a new job.
IMHO:
In essence a SE is part Psychologist, part Telephone Psychic that uses
cold leading tactics to get information, part very personable. This
person is able read people (in person or over the phone) and has the
ability to detect any subtleties that would lead them to be able to find
the information they need.
Should SE be part of a pen-test I would say yes. Normally the weakest
link in any security system is the HUMAN element and without social
engineering you will not find that weak link! Now if that SE is going
to be on site, the person doing the SE would need to be protected, as
well as know what boundaries are.
Now this detailed plan should not include information that would
actually reveal a weakness in itself unless of course the company would
normally give that information out to anybody that asked, and not just
the pen-test team. much thought and attention to details is required!
I could go on but I will stop here.
On Wed, 2006-02-08 at 22:46 +0100, Volker Tanger wrote:
> Greetings!
>
> On Wed, 08 Feb 2006 08:55:52 -0600
> Leif Ericksen <leife@dls.net> wrote:
>
>
> > SHORT AND SWEET:
> > IMHO, a good pen-test will have a contract that dictates
> > 1) Name of the company being tested and people that will be testing.
> > 2) Any forbidden access methods.
> > 3) Any forbidden tactics DOS/or even a shutdown of the server
> > (Real hackers will not care if they shutdown or DOS a server.)
> > 4) Time of the attacks. (start/end date start/end time)
> > (Real hackers will not care about time.)
> > 5) Maybe all telephone numbers owned by the company for a war-dial
> > list.
> > But this might not be shared with the whole team. If a modem is
> > found a weakness is noted, and the actual intrusion team would have
> > to find modems with SE or other methods.
> > 6) If the team is going to be on premise can they enter restricted
> > areas or are they only allowed to test the door to see if it is open.
>
> Most important: contacts (esp. phone numbers!) of all people involved!
>
> 7a) contact details of pen testers where the client can contact them during
> the test in case something goes wrong. I once wardialed a client who
> was not aware that his telephone system relayed each and every non-valid
> number and/or service to the front desk. 50.000 numbers dialed where
> only 20% were connected. 4 wardialers each running at 30second
> intervals. Effectively DoSed the client telephone-wise...
>
> 7b) contact (and authority) details of the client. Especially when doing
> physical assessment. Police usually won't take a "Dunno" as valid
> legitimation for trespassing...
>
> 7c) Who is allowed to know and who not (e.g. for a pentest with simultaneous
> readiness/performance test of the IDS/FW/network staff).
>
>
> Bye
>
> Volker
>
>
-- Leif Ericksen <leife@dls.net> ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:28 EDT