social Engineering

LoLth

I can understand why businesses generally dont want social engineering as part of a pentest but the article linked would suggest to me that they should reconsider or that Businesses should invest a bit more in security awareness training for their staff:

http://www.theregister.co.uk/2010/03/04/social_penetration/


anyway, its an interesting read.

Are there any organisations in Ireland that provide social engineering as part of their pentest options?

msg11

Common sense really, Social engineering is about educating the person/staff. Think twice about letters phone calls etc..

Just really asking yourself, who is this person asking me for this information, can I trust them? Should I check with someone else?

Besides, if the company has any way a decent security policy it should be in it. And the problem should not get to any level of attack.

bobbytables

Close on 100% of employees would care and react accordingly if they knew they were the weakest link in their corporate security chain in a particular situation. The problem as we all know is awareness and their incentive to behave appropriately.

Policy cannot cover everything, and needs to be followed by humans. Management will make requests that will result in employees taking possible "short-cut" measures because the short term benefits appear to out weigh any apparent risks.

More often than not humans are the problem. When a technical system is designed, developed and deployed correctly to do a particular job, it will attempt do that job with no exception. Humans on the other hand may not because human nature is not that simplistic. We can be given a clear set of instructions, we can understand them, we are able to follow them, appreciate the benefits of doing so, but that does not mean that we always will without exception. The question of "can" is up to the people behind the policy and the demands of the enterprise in question and not the employees problem IMO. If everyone is forced into a position where they have to adapt the policy to do what needs to be done then the policy is not working.

"Here's a list of rules, follow them..." - is a very simplistic way of looking at a complex problem and cannot be expected to work flawlessly with humans. If a human is in breach of policy and could have completed a task whilst staying within the lines then yes they are at a fault.

There is always a trade off between Convenience Vs Security. Humans will choose the option that has the greatest incentive for them that they are aware of and understand at the time. Machines do not behave based upon incentives.

I am also shocked that companies do not invest in audits of personnel with regards social engineering, but then again, what would happen...

Management: "Mick, that phone call you got the other day, you shouldn't have told them your password, that wasn't the IT Dept."
Mick: "Oh ****!, sorry, they said they were from IT"
Management: "No that was our auditors checking to see if they could get the info out of you and you failed. If anyone claiming to be internal asks you for information, put them on hold, ring Mary in Personnel with their details to verify they are who they say they are"
Mick: "Oh right, gotcha, I will do that the next time".

The next time....(while Mick is under immense pressure)
He knows that he's supposed to ring Mary, but he has been asked to do something and has a 5 minute deadline. In order for him to meet his deadline he doesn't have time to track down Mary and verify who's calling because he's 90% certain that the other person is legit and the incentive for him to meet his deadline is greater than his calculated 10% risk associated with the caller on the phone.

**** security, human nature has his incentive right there.

Komplett: JJ

Really cool article alright, it is amazing how silly people can be with their info at times.

I've chatted to a good few security experts who despair at how relaxed some companies are on their security policies though and who only talk to employees about them once in a blue moon.

Screaming Monkey

There is a very interesting article on this
http://fudsec.com/casual-hex-and-the-failure-of-security-awaren

"Common sense really, Social engineering is about educating the person/staff. Think twice about letters phone calls etc.. ".

Thats where it always fails, you preaching to staff, it goes in one ear and out the other. Users always have different ideas to the security team, http://www.schneier.com/blog/archives/2006/11/perceived_risk_2.html

"Close on 100% of employees would care and react accordingly if they knew they were the weakest link in their corporate security chain in a particular 2situation. The problem as we all know is awareness and their incentive to behave appropriately.

I would say less than 5%, if "security" is a barrier to them doing their work, they will work around it and not give a sh*t about "weakest" link.

"I've chatted to a good few security experts who despair at how relaxed some companies are on their security policies though and who only talk to employees about them once in a blue moon. "

Thats because its hard, takes "soft skills" and you need to get your users involved in the process, rather than preaching to them with security policies and no "Facebook" rules.

SM