RE: Social Engineering Pentest

Social engineering is probably the toughest part of any assessment.
Here is an interesting article outlining an test on a bank branch:
http://www.governmentsecurity.org/forum/index.php?showtopic=27304&hl=soc
ial

Hope that helps you a bit.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Paul Melson
Sent: Wednesday, April 23, 2008 7:29 AM
To: Joseph McCray
Cc: pen-test
Subject: Re: Social Engineering Pentest

On Tue, Apr 22, 2008 at 5:16 PM, Joseph McCray
<joe@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
I just got contacted by a customer that wants a pentest with the
primary
focus being Social Engineering. We do a few things, but the SE
portion
of our assessments isn't all encompassing by any means.

If you do a healthy amount of SE in your assessments give me a holla
because I'd really be interested in talking to you about developing a
more thorough social engineering attack framework that we can
customize
for different customer verticals.

The thing about SE - in my opinion, anyway - is that testing it in any
meaningful way requires that you have something to test against. [1]

PaulM

[1] http://archives.neohapsis.com/archives/sf/pentest/2007-02/0016.html

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: Pen Test success rate
    ... I would say if I am allowed to use social engineering and leave a few usb drives laying around the site that I can get in. ... Cenzic finds more, "real" vulnerabilities fast. ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • Re: Pen-Test and Social Engineering
    ... Some companies are funny about social engineering and may ... be strongly opposed to having it included in an assessment. ... pen-test consists of. ... social engineering is part of any good pen-test. ...
    (Pen-Test)
  • Re: Trojan Forth
    ... firmware update, eg. a DSL modem. ... All you need is code that does nothing but download larger code. ... Social engineering is far simpler: ... I know of umbilical Forths. ...
    (comp.lang.forth)