Re: Penetration Testing - Human Factor

Isn't it also about the fact that people are very hesitant to report
incidents where they've been taken for a ride, and more willing to admit
technical goof ups such as not applying a patch?

We've offered clients social engineering attacks as part of pen-tests,
and have found takers for these too. Having said that, I think
targeted financial fraud leveraging computer systems usually happens
with a very strong component of social engineering, whereas regular
hacking (with possible financial results) is usually almost purely
technical.

Just my 2c.

KK


On 8/23/06, Joey Peloquin <joeyp@xxxxxxxxx> wrote:
> KeenerPB@xxxxxxxxxxxxxxx wrote:
> > I would disagree with Arian regarding the technical aspects of "true"
> > hacking...in my experience, social engineering plays a huge role in
> > successful compromise of a network. Most of the time the boundaries are
> > pretty tight so you have to lob one over the fence (social engineering) in
> > order to punch out from the inside to defeat the boundary devices.
>
> All due respect, I'm both an Enterprise pen-test customer and an internal
> pen-tester at the same company, and I don't see social engineering on the
> radar at all, save a mention as part of our security awareness program.
>
> How many enterprises do you all contract with that *actually* include social
> engineering, and the like, in the scope? We've paid as much as 40K for an
> engagement and it didn't include social engineering.
>
> -jp
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

Relevant Pages

  • Re: Penetration Testing - Human Factor
    ... Arian how have you concluded that no evidence has been gathered? ... I do not know how serious you consider social engineering to be but if you have not spent time with it please do so, I can offer you a lot of material regarding this issue. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • RE: Penetration Testing - Human Factor
    ... hacking has had nothing to do with social engineering, ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • RE: Penetration Testing - Human Factor
    ... I think that's a greater commentary on your contracting ... The Pen-Tests I have run include ... social engineering on the radar at all, ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • RE: Penetration Testing - Human Factor
    ... other data to compare the social engineering numbers to. ... Cenzic Hailstorm finds vulnerabilities fast. ... Click the link to buy it, try it or download Hailstorm for FREE. ...
    (Pen-Test)
  • RE: Penetration Testing - Human Factor
    ... engineering...and most were successful. ... "I dare do all that may become a man; Who dares do more is none." ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)