Social Engineering has been mostly overlooked during most IT penetration tests in the past 10 years. However, the latest trend is to include it in all remote and onsite penetration tests. I agree with this principal idea, but not how its implemented.
Face it, not everyone will be good at Social Engineering. This is the same thing that happened when every m$ shop said they could do penetration testing. The only difference is they relied on Nessus for the pentests.. you don't really have that for Social Engineering yet... although I expect a dynamic tool in the near future.
Anyway- this is why Social Engineering works http://en.wikipedia.org/wiki/Milgram_experiment
This was an experiment on the use of authority.. if you remember- very close to the scene in ghost busters.
Basically, they bring in an actor, a scientist conducting the experiment, and a test subject.
The subject is mislead into thinking they are performing a learning exercise. In reality, the scientist is recording how they react to authority when it overrides their personal beliefs.
This human instinct to respect authority is the main weakness in the defense against social engineering attacks. To protect against this, companies should put time into a security awareness program. Because 90% of targeted social engineering attacks are successful to obtain sensitive information. If the attacker has done enough research, the victim may willingly divulge internal passwords within a few minutes.
Wednesday, April 16, 2008
Subscribe to:
Posts (Atom)