Social engineering in penetration testing: Planning

Security Strategies This newsletter is sponsored by Secure Computing Webinar: Network Security Learn how token-based, one-time password authentication systems can help enterprises reduce business risk, better comply with regulations, are easy to manage and most importantly keep networks secure. Tune in to this webinar. Network World's Security Strategies Newsletter, 11/01/07 Social engineering in penetration testing: Planning By M. E. Kabay In the two preceding columns, (Oct. 25 and Oct. 30) John Orlando discussed the ethical dimensions of social engineering in penetration testing. Today I want to look at how to use social engineering effectively for penetration testing. I have long believed and taught that social engineering can be useful for security testing, but only with careful preparation. The first and most obvious warning is that bad penetration testing in general is pointless unless the organization has implemented the best available security measures it can manage. Why bother testing security if even a simple vulnerability analysis or common sense assessment shows gaping holes? A penetration test of obviously flawed security is a waste of time and money. Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. In a Network World column published in 2000, I pointed out that deception techniques should be used only with a great deal of preparation of the staff. When preparing for a penetration test that involves social engineering, everyone in the organization should be thoroughly trained to understand the techniques of social engineering before beginning the tests. The key points were as follows (from my article): * The entire organization can prepare for social engineering simulations as a team; no one is subjected to attempted deception without knowing that the experience was part of a training and awareness exercise. * Even if someone falls for a trick, the emotional effect is far less than if the same error occurred without preparation. I think that preparing staff for the onslaught of skilled social engineers has many benefits. We can frame the exercises as a form of game or contest: who will be the best at spotting the confidence tricksters? Who will be quickest to foil their nefarious plans? Role-playing games are an excellent way of changing beliefs, attitudes and behavior: having staff members take up the roles of social engineer and defender - and then reversing roles - is not only amusing, but it also has a long-term effect on people’s perceptions. It’s much easier to remember a social interaction we’ve experienced personally than to pay attention to abstract words. We can even turn the event into an opportunity for a good deal of fun and laughter, making security and secure behavior a positive experience instead of the usual drudgery. Moreover, in addition to risk avoidance (reducing the likelihood of hurt feelings, frustration and anger), solid preparation can result in increased vigilance at all times. Once staff members are sensitized to the social engineering tricks they’ve experienced in role-playing games, they are more likely to recognize them in strangers. Having practiced alerting the security team to apprehended breaches, they will find it easier to take the initiative later when they spot real breaches. In my next column, I’ll finish with this topic (for now) by discussing approaches to handling cases of successful social engineering. Editor's note: Starting Tuesday, Nov, 13, this newsletter will be renamed "Security Strategies Alert." Subscribers to the HTML version of this newsletter will notice some enhancements that will provide access to more resources relevant to IT security. You will still receive M. E. Kabay's analysis of this topic, which you will be able to read in its entirety online at NetworkWorld.com, along with links to relevant news headlines of the day. We hope you enjoy the enhancements and we thank you for reading Network World newsletters.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Networking's 50 greatest arguments 2. Microsoft plots ambitious SOA roadmap 3. Google's social networking power move 4. IT pros share their horror stories 5. Is Fibre Channel dead? 6. Podcast: Real-life scary security stories 7. Attack code for Kodak bug in Windows 8. Cisco certifications: All you need to know 9. Top 20 Firefox extensions 10. Cisco's profits: 5 trends worth watching FEATURED BUYER'S GUDIE: Network Access Control

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by Secure Computing Webinar: Network Security Learn how token-based, one-time password authentication systems can help enterprises reduce business risk, better comply with regulations, are easy to manage and most importantly keep networks secure. Tune in to this webinar. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE 90% of IT Managers are leaving their company at risk for a DNS ATTACK. Get the tools and resources you need to keep your DNS healthy and secure. Run a DNSreport on your domain today - 56 critical tests run in 8 seconds. Visit www.dnsreport.com to learn more. (apply coupon NWW2007NLA for a 25% membership discount) PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007