Social engineering in penetration testing: Analysis

Security Strategies This newsletter is sponsored by Juniper Networks Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. Click here to listen today! Network World's Security Strategies Newsletter, 10/30/07 Social engineering in penetration testing: Analysis By M. E. Kabay John Orlando continues his two-part series on the ethics of social engineering for penetration testing. What follows in this column and the next is entirely Orlando’s work with minor edits. * * * Analysis Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. The cases described in the previous column have been deliberately ordered from least to most ethically troubling. I would argue that there are morally relevant differences between the shoulder-surfing and piggybacking cases on one hand, and the computer technicians and bribery cases on the other. For one, the latter two penetration-testing cases expose the employee being tested to significant psychological stress. The employee in the computer technician example is worried about losing his job, while the one is the bribery example is faced with an offer to do something illegal. Moreover, the deception in the latter two cases is established by verbal manipulation. Why is this relevant? After all, all cases involve some level of misrepresentation, and we can just as easily misrepresent ourselves with our appearance and actions as we can with our words. The difference is that when the deception is established verbally, the deceiver is plugging into deep-seated psychological triggers humans use to establish trust with others. Con men are good at playing on these triggers, and while people can be expected to follow procedures, they cannot be expected to resist the kind of psychological manipulation employed by skilled manipulator. We would say the same thing of an attractive consultant soliciting an executive to see if he would exchange sex for secrets. The enticement is unfair. Moreover, the episode will undermine the employee’s trust in the company. There is also the question of the professionalism on the part of the consultant when he moves from providing security advice to acting. Once the deceiver starts the charade, he will not know how much acting will be needed to get the employee’s cooperation. At some point the question becomes whether the consultant is measuring the strength of the company’s security policies, or his own acting skills. The consultant has put himself or herself into a compromising situation that could undermine faith in the profession as a whole. Finally, what is the employer going to do with the employee in the bribery case if he agrees? The employer cannot trust the employee anymore, yet if he fires the employee, he can be accused of entrapment. These observations allow us to draw up some guidelines for the use of social engineering in penetration tests. Social engineering can be used in situations to gain knowledge of a security program that cannot be derived in other ways, but must be bound by ethical principles, including: 1. Just as human research guidelines demand that subjects are protected from harm, social engineering tests should not cause psychological distress to the subject. 2. Employees that fail the test should not be subject to public humiliation. The consultant should not identify an employee who fails a test to other employees or even the employer, as it might undermine the employer’s view of the employee. The information can be presented as part of an education program without identifying the employee. 3. Independent oversight is an important component of human research protocols. Just as universities have human research oversight committees, consultants should get approval from at least two individuals at the organization before using social engineering in a penetration test. 4. Testers should avoid any verbal misrepresentation or acting to establish the deception. * * * In the next column, I (Mich) will follow up on John’s articles by adding a few observations about when and how to use social engineering effectively in penetration testing. * * * John Orlando, MSIA, PhD, is Instructional Resource Manager in the School of Graduate Studies at Norwich University. He earned his doctorate in philosophy from the University of Wisconsin at Madison in 1993 and has more than a decade of experience in online university education. He teaches undergraduate ethics and philosophy courses at Norwich and can be reached by e-mail.  Editor's note: Starting Tuesday, Nov, 13, this newsletter will be renamed "Security Strategies Alert." Subscribers to the HTML version of this newsletter will notice some enhancements that will provide access to more resources relevant to IT security. You will still receive M. E. Kabay's analysis of this topic, which you will be able to read in its entirety online at NetworkWorld.com, along with links to relevant news headlines of the day. We hope you enjoy the enhancements and we thank you for reading Network World newsletters.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Networking's 50 greatest arguments 2. Storm worm strikes back at security pros 3. Cisco certifications: All you need to know 4. Top 20 Firefox extensions 5. Technology's 10 most mortifying moments 6. 10 reasons ITIL spooks IT managers 7. Unlimited gall to cost Verizon $1 million 8. Storm worm can befuddle NAC 9. Leopard ships, 300 new features 10. Hackers use Cisco VoIP to access network MOST-READ REVIEW: HP's 'shorty' blade server takes fresh approach

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Juniper Networks Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. Click here to listen today! ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE 90% of IT Managers are leaving their company at risk for a DNS ATTACK. Get the tools and resources you need to keep your DNS healthy and secure. Run a DNSreport on your domain today - 56 critical tests run in 8 seconds. Visit www.dnsreport.com to learn more. (apply coupon NWW2007NLA for a 25% membership discount) PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007