Penetration Testing: Re: Pen-Test and Social Engineering

[Bob Radvanovsky <rsradvan () unixworks net>]

Having observed many people's responses, I would like to make a comment...

To me, "social engineering" may be considered as an artform of assessing risk through human interaction, as each and 
every individual conducting the SE has their own unique way or method of conducting an SE exercise.  To many, I have 
observed that "yes", it is considered a part of, or subset to, "penetration testing and analysis", focusing more 
entirely on the human aspects and factors of human interaction.  Thus, the terminology, by its very existence, is 
subjective to its audience based upon its perspective.  How it's interpretted, how it's utilized, what are the human 
traits and/or factors utilized to acquire or determine weakness, and of course, what are the eventual outcomes -- all 
of which play a decisive role in the outcome of the SE criteria.

To some, SE is nothing more than demonstrating prowisness of ones ability to (essentially) "dupe" or "con" another 
human.  To others, it's an interrogative function to acquire sensitive and/or valuable information in small bits and 
pieces, then re-assemble all the data fragments collectively into a (hopefully) fully-assembled data model once the 
data gathering function has been completed (also subjective, as deemed as being completed).

Thus, based upon its very nature as being subjective, it could be concluded that SE is not a part of, or subset to, 
penetration testing and analysis.  However, if someone were to define specifics weights, based upon an interrogative 
matrix (specific questions to be asked to targetted individuals, and the anticipated types of responses -- all are 
weighed), might similarly be concluded as being more objective, rather than subjective.  The federal government is very 
good at interrogative functions, esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.

So...though it may not to appear as conclusive, much of its very being depends upon how it is setup, how it is 
utilized, what are the expected or anticipated goals, and how is the information (once obtained) utilized -- all of 
which may be considered a form of social testing of targetted or selected groups of individuals (and their affiliated 
organizations).  If the SE function is based upon a weighed criteria, then it could be considered moreso as a 
"science", rather than an "artform", and thus, may be construed as a part of, or subset to, a "penetration test and 
analysis" function; otherwise, it remains nothing more than an "artform", as its exact function would not be capable of 
an *exact* functional reproduction (meaning, can the exact or same criteria be reproduced each and every time, and can 
the outcome be predictably produced, using the same methods, each and every time?).  Until SE can be empowered moreso 
as a "science" with a reproducable, repeatable function each and every time, then I could see where people would not 
categorize "social engineering" as a part of, or subset to, a "penetration test".

Until SE may be conclusively defined into a "science", many organizations will never consider it nothing more than an 
"artform".

Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax) 

*** DISCLAIMER NOTICE ***
This electronic mail ("e-mail") message, including any and/or all attachments, is for the sole use of the intended 
recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the 
direction and supervision of Bob Radvanovsky and/or his affiliates, as well as is the property of Bob Radvanovsky 
and/or his affiliates, or otherwise protected from disclosure.  All electronic mail messages, which may have been 
established as expressed views and/or opinions (stated either within the electronic mail message or any of its 
attachments), are left at the sole discretion and responsibility of that of the sender, and are not necessarily 
attributed to Bob Radvanovsky.  Unauthorized interception, review, use, disclosure or distribution of any such 
information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited.  As 
this e-mail may be legally privileged and/or confidential and is intended only for the use of the addressee(s), no 
addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be 
viewed by any individual not originally listed as a recipient.  If the reader of this message is not the intended 
recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking 
of any action in reliance upon the information herein is strictly prohibited.  If you have received this communication 
in error, please notify the sender immediately, followed by the deletion of this or any related message. 




----- Original Message -----
From: Steven [mailto:steven () lovebug org]
To: burzella () inwind it, pen-test () securityfocus com
Subject: Re: Pen-Test and Social Engineering


> I would definitely say that social engineering can be considered part of a 
> pen-test.  If you are able to get users to divulege information that assists
>
> you in compromising or gaining access to something, then you are doing 
> exactly what a real attacker would have been able to do.  You might be able 
> to trick them into telling you something via phone or e-mail, get them to 
> physically do something like open a door or unlock a machine, or get them to
>
> run an executable or disable a firewall.  You might be able to get them to 
> do under false pretenses, through their own ignorance or carelessness, or by
>
> other means.  Whatever you do can be considered part of a pen-test.
>
> However, there are a few important things to keep in mind.  You want to 
> definitely lay down the ground rules with whomever it is you are pen-testing
>
> for.  They might just want to see what machines an exploit can break into. 
> You might really upset some people and get in trouble if you start trying to
>
> gain physical access or send trojans to executives.  Make sure they are 
> aware of what you are doing and that you have approval.  Get everything in 
> writing or in your agreement somewhere.
>
> Anyway - one word answer to the questions IMO is Yes.
>
> Steven
>
> ----- Original Message ----- 
> From: <burzella () inwind it>
> To: <pen-test () securityfocus com>
> Sent: Friday, February 03, 2006 9:03 AM
> Subject: Pen-Test and Social Engineering
>
>
> > Hi
> > In yuor opinion, can a Social Engineering test be considered part of a 
> > Pen-Test?
> >
> > Thanks
> ------------------------------------------------------------------------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on your
> > website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> > login pages, dynamic content etc. Firewalls, SSL and locked-down servers 
> > are
> > futile against web application hacking. Check your website for 
> > vulnerabilities
> > to SQL injection, Cross site scripting and other web attacks before 
> > hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
> >
>
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner: 
>
> Hackers are concentrating their efforts on attacking applications on your 
> website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
>
> futile against web application hacking. Check your website for
> vulnerabilities 
> to SQL injection, Cross site scripting and other web attacks before hackers
> do! 
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------