Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Penetration Testing - Human Factor
From: <KeenerPB () mcnosc usmc mil>
Date: Sat, 26 Aug 2006 20:51:42 -0400

We use social engineering on almost every assessment we do except when the request is for a strict technical assessment.

Capt. Paul B. Keener
OIC, Marine Corps Red Team
Marine Corps Network Operations & Security Command
STE: 703.784.4327 (DSN 278)
Cell: 703.399.9639

NIPR: keenerpb () mcnosc usmc mil
SIPR: keenerpb () mcnosc usmc smil mil
Sent from my BlackBerry Wireless Handheld

-----Original Message-----
From: StyleWar <stylewar () cox net>
To: 'Joey Peloquin' <joeyp () cotse net>; Keener Capt Paul B <KeenerPB () mcnosc usmc mil>
CC: 'Pen-Testing' <pen-test () securityfocus com>
Sent: Sat Aug 26 19:44:04 2006
Subject: RE: Penetration Testing - Human Factor


With respect, I think that's a greater commentary on your contracting
methods than it is on what's available. The Pen-Tests I have run include
everything from physical, to logical, to social/administrative.  The
customer has had to opt out on specific methods and attack trees as part of
the preengagement process.



"Patriotism isn't defined in a moment.  It's defined in a lifetime." 

-----Original Message-----
From: Joey Peloquin [mailto:joeyp () cotse net] 
Sent: Wednesday, August 23, 2006 7:10 AM
To: KeenerPB () mcnosc usmc mil
Cc: Pen-Testing
Subject: Re: Penetration Testing - Human Factor

KeenerPB () mcnosc usmc mil wrote:
I would disagree with Arian regarding the technical aspects 
of "true"
hacking...in my experience, social engineering plays a huge role in 
successful compromise of a network. Most of the time the boundaries 
are pretty tight so you have to lob one over the fence (social 
engineering) in order to punch out from the inside to 
defeat the boundary devices.

All due respect, I'm both an Enterprise pen-test customer and 
an internal pen-tester at the same company, and I don't see 
social engineering on the radar at all, save a mention as 
part of our security awareness program.

How many enterprises do you all contract with that *actually* 
include social engineering, and the like, in the scope?  
We've paid as much as 40K for an engagement and it didn't 
include social engineering.


This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]