|
Penetration Testing
mailing list archives
Re: Pen-Test and Social Engineering
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Mon, 06 Feb 2006 12:54:47 -0600
Not necessarily...you could *still* have questions within an anticipated range of expected answers. If I ask Question
#1, I would expect to see potentially 4 to 6 (or however many) answers. If the answers are not any of those
anticipated, mark them as not being outlined within the initial set of answers to Question #1. This does not mean that
the answers are not validated, nor does it mean that you've lost the "human factor" to the outline. It simply means
that the answers were not anticipated and not within the range. This allows for a more measured response to any suite
of questions asked, and thus, can show or pinpoint, through a series of these questions, whether the individual is
lying or telling the truth, or can contain any information about a vulnerability or risk. I, personally, forsee
"social engineering" as being measured very similarly to that of the fictional "Voight-Kampf" psychological assessment
to determine targets as being "Replicants" (Nexus Generation series Replicants) from the Movie, "Blade Runner" (ref:
http://www.netipedia.com/index.php/Replicant and http://www.empireonline.com/forum/tm.asp?m=2267&mpage=4).
Again, see references about how the federal government has been doing it for years. They've got it down to a set of
"scripts" such that questions have been written to be asked in such a manner as to provoke a certain response. To me,
it's a form of plain and simple "interrogation" -- nothing more. Thus, the thing that I feel differentiates between an
"interrogative interview" versus a "social engineering event" is that random, human factorization -- of which, I would
tend to agree with you, in that it might be very difficult to distinguish or (perhaps) differentiate between as being a
"science" versus an "artform".
I guess my question would come down to this: How do psychologists interview people? What they do is an empracticement
that is repeatable, as well as repetitive, and is weighed based upon certain criteria, or perhaps even external
influential factors that might determine that said individuals as being "<xxx>", right? Would this not be considered
as a "soft(er) science", as there are often times, too many unknown factors that might negate or mitigate their
results, thus potentially skewing the end result or anticipated outcome? Possibly.
And...with both circumstances, the net effect was obtained through a repeatable, reproducible process. That is what
distinguishes it as being classified as a "science". ;))
Have I clarified my position on the matter, or does it appear that I've muddied them up further?
I'm (really) not being argumentative about this subject -- just that it is (to me) a difficult topic to discuss
*openly* on a public discussion forum. There are no clear-cut answers to this debate; however, I am hoping to shed
some light about how both sides perceive "social engineering", taking the role of that to the "Devil's Advocate". I
*do* see the validity in your response, but perhaps you can see just how I'm perceiving this? If you have a process
that is not easily explainable, cannot be documented quickly (has or draws upon too many possible conclusions without
concrete results), or might (or might not) be reproducable, what would you consider this then?
In this case, I would speculate that a "science" is an empracticement of a process, methodology, or procedure that is
reproducable and is considered logical in nature, thus formulating or drawing upon a conclusion to the net result.
Science (generally) "refers to a system of acquiring knowledge – based on empiricism, experimentation, and
methodological naturalism – aimed at finding out the truth. The basic unit of knowledge is the theory, which is a
hypothesis that is predictive. The term "science" also refers to the organized body of knowledge humans have gained by
such research." (ref: http://en.wikipedia.org/wiki/Science) Could you base your decision to determine if the target
location were vulnerable based on a few abstract questions? I doubt that I could answer that question, esp. if a
C-level executive were asking the question. Their questions, though speculative in nature, are founded on one thing:
what will this do to impact my company?
A colleague of mine pointed out that "social engineering" in of itself is neither an "artform" nor a "science", but
rather a precursorary measurement or determination of the state (or status) of a given scenario, such that its mere
determination usually would require *additional* investigation, thus in fact, might be construed as a "soft(er)
science". This would draw about a conclusion to your statement that "social engineering" is a valid "tool" that is
utilized as a precursor for further investigative functions. To that degree, I would agree with you, and thus, can see
the relevancy to your point. Also, as a generalized statement, most "hackers" often rely upon intuition and "gut
instinct", but may be founded upon more concrete methods of thinking that are unexplainable to anyone outside of their
"inner circle", without establishing that there may or may not be foundations based on the methodologies used. To me,
because of the "human factor" is involved so often of times, we refer to the "human factor" as the random, chaotic
interactive state which exists within nature, representing the interaction between human and human kind, or human and
animal kind.
In conclusion, I was merely stating an observation based upon how others may perceive it. I seriously doubt that we
will be able to clearly define "social engineering" in a clear-cut manner without too much debate; there are just too
many factors involved which, depending on your level of perception, can go either way as being either a "science" or an
"artform", or in some circumstances, both.
Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax)
*** DISCLAIMER NOTICE ***
This electronic mail ("e-mail") message, including any and/or all attachments, is for the sole use of the intended
recipient(s), and may contain confidential and/or privileged information, pertaining to business conducted under the
direction and supervision of Bob Radvanovsky and/or his affiliates, as well as is the property of Bob Radvanovsky
and/or his affiliates, or otherwise protected from disclosure. All electronic mail messages, which may have been
established as expressed views and/or opinions (stated either within the electronic mail message or any of its
attachments), are left at the sole discretion and responsibility of that of the sender, and are not necessarily
attributed to Bob Radvanovsky. Unauthorized interception, review, use, disclosure or distribution of any such
information contained within this electronic mail message and/or its attachment(s), is(are) strictly prohibited. As
this e-mail may be legally privileged and/or confidential and is intended only for the use of the addressee(s), no
addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be
viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended
recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking
of any action in reliance upon the information herein is strictly prohibited. If you have received this communication
in error, please notify the sender immediately, followed by the deletion of this or any related message.
----- Original Message -----
From: Neil [mailto:neil () voidfx net]
To: Bob Radvanovsky [mailto:rsradvan () unixworks net]
Subject: Re: Pen-Test and Social Engineering
I think you will find that in the process of making SE into a Science,
you will be making it less effective than it is to an attacker, and thus
misrepresenting the risk it entails.
To make SE a science, which as you said would be repeatable and
reproducible, you would have to remove aspects of social engineering
that appeal to the target's emotions. (The fact that if you keep
someone in the same emotional state, their reaction to a stimulus should
be the same becomes irrelevant because the fact is that people will not
be in the same emotional state every time you pen-test.) However,
intruders would definitely not hesitate to capitalize on a person's
emotions.
So, at best, all you can say is: "Here is the results of social
engineering during one day on our pen-test. Be aware that if everyone
was having a particularly good or bad day, this would not compensate for
that, only the results of what we did that day."
On 2/6/2006 9:23 PM, Bob Radvanovsky wrote:
Having observed many people's responses, I would like to make a comment...
To me, "social engineering" may be considered as an artform of assessing
risk through human interaction, as each and every individual conducting the
SE has their own unique way or method of conducting an SE exercise. To
many, I have observed that "yes", it is considered a part of, or subset to,
"penetration testing and analysis", focusing more entirely on the human
aspects and factors of human interaction. Thus, the terminology, by its
very existence, is subjective to its audience based upon its perspective.
How it's interpretted, how it's utilized, what are the human traits and/or
factors utilized to acquire or determine weakness, and of course, what are
the eventual outcomes -- all of which play a decisive role in the outcome of
the SE criteria.
To some, SE is nothing more than demonstrating prowisness of ones ability
to (essentially) "dupe" or "con" another human. To others, it's an
interrogative function to acquire sensitive and/or valuable information in
small bits and pieces, then re-assemble all the data fragments collectively
into a (hopefully) fully-assembled data model once the data gathering
function has been completed (also subjective, as deemed as being completed).
Thus, based upon its very nature as being subjective, it could be
concluded that SE is not a part of, or subset to, penetration testing and
analysis. However, if someone were to define specifics weights, based upon
an interrogative matrix (specific questions to be asked to targetted
individuals, and the anticipated types of responses -- all are weighed),
might similarly be concluded as being more objective, rather than
subjective. The federal government is very good at interrogative functions,
esp. certain law enforcement branches, such as the NSA, CIA, and the FBI.
So...though it may not to appear as conclusive, much of its very being
depends upon how it is setup, how it is utilized, what are the expected or
anticipated goals, and how is the information (once obtained) utilized --
all of which may be considered a form of social testing of targetted or
selected groups of individuals (and their affiliated organizations). If the
SE function is based upon a weighed criteria, then it could be considered
moreso as a "science", rather than an "artform", and thus, may be construed
as a part of, or subset to, a "penetration test and analysis" function;
otherwise, it remains nothing more than an "artform", as its exact function
would not be capable of an *exact* functional reproduction (meaning, can the
exact or same criteria be reproduced each and every time, and can the
outcome be predictably produced, using the same methods, each and every
time?). Until SE can be empowered moreso as a "science" with a
reproducable, repeatable function eac
h and every time, then I could see where people would not categorize "social
engineering" as a part of, or subset to, a "penetration test".
Until SE may be conclusively defined into a "science", many organizations
will never consider it nothing more than an "artform".
Bob Radvanovsky, CISM, CIFI, REM, CIPS
"knowledge squared is information shared"
rsradvan (at) unixworks.net | infracritical.com | ehealthgrid.com
(630) 673-7740 | (412) 774-0373 (fax)
*** DISCLAIMER NOTICE ***
This electronic mail ("e-mail") message, including any and/or all
attachments, is for the sole use of the intended recipient(s), and may
contain confidential and/or privileged information, pertaining to business
conducted under the direction and supervision of Bob Radvanovsky and/or his
affiliates, as well as is the property of Bob Radvanovsky and/or his
affiliates, or otherwise protected from disclosure. All electronic mail
messages, which may have been established as expressed views and/or opinions
(stated either within the electronic mail message or any of its
attachments), are left at the sole discretion and responsibility of that of
the sender, and are not necessarily attributed to Bob Radvanovsky.
Unauthorized interception, review, use, disclosure or distribution of any
such information contained within this electronic mail message and/or its
attachment(s), is(are) strictly prohibited. As this e-mail may be legally
privileged and/or confidential and is intended on
ly for the use of the addressee(s), no addressee should forward, print,
copy, or otherwise reproduce this message in any manner that would allow it
to be viewed by any individual not originally listed as a recipient. If the
reader of this message is not the intended recipient, you are hereby
notified that any unauthorized disclosure, dissemination, distribution,
copying or the taking of any action in reliance upon the information herein
is strictly prohibited. If you have received this communication in error,
please notify the sender immediately, followed by the deletion of this or
any related message.
----- Original Message -----
From: Steven [mailto:steven () lovebug org]
To: burzella () inwind it, pen-test () securityfocus com
Subject: Re: Pen-Test and Social Engineering
I would definitely say that social engineering can be considered part of
a
pen-test. If you are able to get users to divulege information that
assists
you in compromising or gaining access to something, then you are doing
exactly what a real attacker would have been able to do. You might be
able
to trick them into telling you something via phone or e-mail, get them to
physically do something like open a door or unlock a machine, or get them
to
run an executable or disable a firewall. You might be able to get them
to
do under false pretenses, through their own ignorance or carelessness, or
by
other means. Whatever you do can be considered part of a pen-test.
However, there are a few important things to keep in mind. You want to
definitely lay down the ground rules with whomever it is you are
pen-testing
for. They might just want to see what machines an exploit can break
into.
You might really upset some people and get in trouble if you start trying
to
gain physical access or send trojans to executives. Make sure they are
aware of what you are doing and that you have approval. Get everything
in
writing or in your agreement somewhere.
Anyway - one word answer to the questions IMO is Yes.
Steven
----- Original Message -----
From: <burzella () inwind it>
To: <pen-test () securityfocus com>
Sent: Friday, February 03, 2006 9:03 AM
Subject: Pen-Test and Social Engineering
Hi
In yuor opinion, can a Social Engineering test be considered part of a
Pen-Test?
Thanks
--
Neil.
http://voidfx.net
"Lord, grant me the strength to accept the things I cannot change, the
courage to try to change the things I can, and the wisdom to hide the
bodies of the people I had to kill because they pissed me off."
--Anonymous
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- RE: Pen-Test and Social Engineering, (continued)
RE: Pen-Test and Social Engineering Andrew Lacey (Feb 06)
Re: Pen-Test and Social Engineering Bob Radvanovsky (Feb 06)
RE: Pen-Test and Social Engineering Bob Radvanovsky (Feb 07)
|
Intro
