Social engineering in penetration testing: Postmortem

Security Strategies This newsletter is sponsored by NetApp Whitepaper: Server virtualization for SMBs Server virtualization is not only meant for the largest enterprise organizations. In this whitepaper, Server Virtualization for Small and Medium-size Businesses, learn how this technology is ideal for smaller IT shops. This whitepaper explains how simplifying hardware and server applications with virtualization software allows for key operational improvements. Network World's Security Strategies Newsletter, 11/06/07 Social engineering in penetration testing: Postmortem By M. E. Kabay In the preceding column, I discussed how to plan for the use of social engineering techniques in penetration testing. Today I will take a brief look at how to use the information collected during such studies. In a Network World column published in 2000, I wrote, “In an organization wide debriefing, the results of the tests can be discussed so that everyone learns from the experience without feeling humiliated. The essential point is that by turning penetration analysis into a collective exercise, the disadvantages of social engineering can be reduced.” If one or more people succeeded in resisting social-engineering tricks, the atmosphere of the postmortem can be cheerful and low-stress: that’s the easy case. One can capitalize on the success by analyzing the successful cases; ask the people involved how they spotted the fraud, how they responded, and if there’s anything they would suggest to improve the response. Ask the social engineers what they could have done to reduce suspicions or respond better to the successful resisters. Role-playing is a powerful tool for such work - and then the group can brainstorm additional countermeasures. The whole exercise becomes an opportunity for security improvement through encouragement, praise and good will. Webcast: Get the latest on NAC Learn the latest on Network Access Control in Network World's Perspectives Editorial Webcast. Discover how IT professionals can leverage this hot security technology in their networks, while also learning about key management areas that have not yet been perfected. To learn more click here. But how can one approach the postmortem analysis to minimize stress when someone or several people failed to counter the social engineers? Those people will be entering the discussion with a natural sense of discomfort at the least - dread and shame at the worst. It’s important to set the tone at once: “We’re here to learn from the exercise - that’s what it’s all about. I don’t want anyone to feel that they have failed the group or are a Bad Person: the exercise is _succeeding_ by bringing out areas we have to improve. Now let’s get down to business.” And by the way, that statement has to be true: Group leaders should not pretend that they are positive about the exercise if they are internally contemptuous and hostile because of the successful trickery of the social engineers. Instead, the group leaders have to either resolve their feelings before the meeting or find someone else to lead the meeting. During the postmortem, it can be helpful to use role-playing again. The people who were tricked can be encouraged to figure out what they missed, perhaps with the help of the social engineers or others. Group moderators can encourage those same victims of the trickery to act out successful resistance to the tricks, reinforcing the sense that the session is a learning experience. Keeping the tone light, friendly and positive will help counter what could otherwise become a session of bitter and dispiriting self-flagellation. Most important in all cases is to keep a record of the suggested improvements and then to plan how to implement them in a phased sequence according to the criteria the group decides on. The criteria for scheduling the improvements can include resource limitations and dependencies among the recommendations (critical-path charts can help sort out those problems). Editor's note: Starting Tuesday, Nov, 13, this newsletter will be renamed "Security Strategies Alert." Subscribers to the HTML version of this newsletter will notice some enhancements that will provide access to more resources relevant to IT security. You will still receive M. E. Kabay's analysis of this topic, which you will be able to read in its entirety online at NetworkWorld.com, along with links to relevant news headlines of the day. We hope you enjoy the enhancements and we thank you for reading Network World newsletters.   What do you think? Post a comment on this newsletter

MOST-READ STORIES: 1. Cell jamming a simple call for justice 2. Networking's 50 greatest arguments 3. Dell acquires EqualLogic for $1.4B 4. What does it take to manage virtual servers? 5. Open source gains traction in U.S. govt. 6. Deconstructing the PC revolution 7. One picture is worth 335,000 charred acres 8. DARPA looks to adaptive wireless nets 9. Humans will love, marry robots by 2050 10. Cisco Certs are dead MOST-READ TEST: HP's 'shorty' blade server takes fresh approach

Contact the author: M. E. Kabay, PhD, CISSP-ISSMP is Program Director of the Master of Science in Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by NetApp Whitepaper: Server virtualization for SMBs Server virtualization is not only meant for the largest enterprise organizations. In this whitepaper, Server Virtualization for Small and Medium-size Businesses, learn how this technology is ideal for smaller IT shops. This whitepaper explains how simplifying hardware and server applications with virtualization software allows for key operational improvements. ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE 90% of IT Managers are leaving their company at risk for a DNS ATTACK. Get the tools and resources you need to keep your DNS healthy and secure. Run a DNSreport on your domain today - 56 critical tests run in 8 seconds. Visit www.dnsreport.com to learn more. (apply coupon NWW2007NLA for a 25% membership discount) PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007