Penetration Testing: RE: Testing the user community

["Paul Melson" <pmelson () gmail com>]

> We all know our weak link but how do you identify just how weak they are?
I think it's time to pen test 
> my user community and have a couple ideas to gather statistics on just how
nonaware they really are. 
> Maybe a simple phishing scam and bogus email with a fake virus attachment
that emails me when it's 
> opened so I can track how many folks actually opened it.  Has anyone ever
done this before? I can't find 
> any information about it on the web.. thoughts and ideas anybody?
I think you're pointed in slightly the wrong direction here.  It will be
almost meaningless to test whether or not your staff may be susceptible to
phishing, phone-based, or in-person social engineering tactics unless you
have something to measure that against.  For instance, is there a disclosure
policy in place and if so, what does that include?  Have users received
training or other communication on threats and countermeasures for phishing?

You will find that your results will be more meaningful and it will be
easier to create an effective action plan based on those results if there is
some way of identifying deficiencies relative to what the *company* is
doing, not what the users are doing.  Just coming up with a list of people
that fell for a phishing scam or willingly traded their password for a Take
5 bar isn't going to be all that useful other than to underscore that
phishing works and candy tastes good.

PaulM


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------