Social engineering in penetration testing: Cases

Security Strategies This newsletter is sponsored by Awareness Technologies Inc Learn how Desktop Agents Protect your Discover how desktop agents better protect against negligent employees and criminal activities from within your company. Learn how you can monitor Webmail, capture typed information, capture screen-based images and monitor off-net activities on every PC. Find out how you will significantly reduce all internal security threats with desktop agents. Network World's Security Strategies Newsletter, 10/25/07 Social engineering in penetration testing: Cases By M. E. Kabay My friend and colleague Dr. John Orlando helped create the Master of Science in Information Assurance at Norwich University and has been teaching ethics courses for many years. He recently wrote a paper on the ethical dimensions of social engineering as a tool of penetration testing and has kindly allowed me to publish an edited version of his work for Network World readers. What follows in this column and the next is entirely Orlando’s work with minor edits. * * * Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. Penetration testing is an important means of assessing the strength of an organization’s information security program. A security system may look good from the inside, but a test is an excellent way to determine if it will hold up under pressure. These tests can range from simple port scans to all-out hacking attacks. However, since security depends on people, not just on technology, social engineering is one possible tool for use in penetration tests. Deception is a common means of breaching a security system, and a social engineering test can ascertain the strength of policies and how well employees follow those policies. However, the use of social engineering in penetration tests raises ethical issues because humans are being used for research purposes. Abuses such as Nazi experiments on prisoners and the Tuskegee Syphilis Study have led to a body of widely accepted guidelines for the ethical use of human subjects in research. I will draw upon human research principles and a few sample cases to identify ethical guidelines for the use of social engineering in penetration testing. Cases Piggybacking: A security consultant wearing a suit and tie, and carrying a briefcase, stands at the front entrance to a corporation. He waits for an employee to unlock the door with her ID scan and follows her in. Shoulder Surfing: A security consultant notices employees standing outside a door smoking on their break. He walks over and mills about looking over his shoulder as employees enter the keypad code to reenter the building. With that information he lets himself in. Computer Technician: Two security consultants walk into an office wearing “Computer Doctors” jumpsuits. They tell the administrative assistant that they have an order to fix the system. The assistant says, “Mr. Smith did not tell me about this, and he’s on vacation today and can’t be reached.” They reply, “We’re booked for the next two weeks. The system is overheating and could melt down at any moment. If it burns up because we were not allowed to work on it, somebody’s going to get fired. Are you sure you didn’t forget the order?” The assistant nervously lets them in. Bribery: A security consultant posing as a representative of another company approaches an employee outside of work and offers him $50,000 to get some memos concerning the company’s plans for a new product. In the next column, Orlando presents his analysis of the ethical issues presented by these applications of social engineering. In the meantime, readers may want to apply the principles discussed in the recent series of columns about ethical-decision making and come to their own conclusions before reading his comments. * * * John Orlando, MSIA, PhD, is Instructional Resource Manager in the School of Graduate Studies at Norwich University. He earned his doctorate in philosophy from the University of Wisconsin at Madison in 1993 and has more than a decade of experience in online university education. He teaches undergraduate ethics and philosophy courses at Norwich and can be reached by e-mail.    What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Top 20 Firefox extensions 2. 2007 network industry graveyard 3. Cisco's $330M buy into WiMAX 4. 'Fire blogging' tech expert on the frontlines 5. ID thieves have 50% chance of going to prison 6. Gartner's top 10 strategic technologies for 2008 7. Top 15 USB geek gadgets 8. Next-gen LANs, branches under consideration 9. Cisco fights fakes via remarketing operations 10. Unlimited gall to cost Verizon $1 million MOST-DOWNLOADED PODCAST: Twisted Pair: Rumor Mill — Who's Buying Who?

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Awareness Technologies Inc Learn how Desktop Agents Protect your Discover how desktop agents better protect against negligent employees and criminal activities from within your company. Learn how you can monitor Webmail, capture typed information, capture screen-based images and monitor off-net activities on every PC. Find out how you will significantly reduce all internal security threats with desktop agents. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007