I've really been MIA with too much travel, and family obligations. I'm definitely going to be posting more frequently going forward.
As I process conversations had during an interview with my friends at social-engineer.org, it got me thinking that I need to write a little blurb about SE, and its value in the grand scheme of security assessments.
We'll start with the basics; wiki defines social engineering as the art of making people give out their confidential information. "Social engineering" is more precisely: the act of psychological manipulation. So a little about the elements that SE is comprised of.
Persuasion: is all about like it sounds persuading the victim to willingly give you "the attacker" the information you are after. This can take many forms, however an easy example would be calling a victim and informing them that you are the new help desk temp and wanted to make sure that their computer was updated, they just have to provide you with the user name and password so you can check.
Phishing: this is about cloning a legitimate authentication interface and making users enter credentials or other personal information you may be interested in, in the cloned page versus the legitimate. An example would be cloning the facebook.com and getting a user to enter credentials assuming your clone is actually facebook.com and thus providing you "the attacker" with a copy of the used credentials.
Apart from webpages, there is also phone, and email phishing attacks, commonly used in most multi-vector SE attacks.
Baiting: A baiting scenario can be where malicious auto run software is placed on thumb drives and lets say the attacker stands in front of a corporate building with a sign that says "employee appreciation please take 1." When the drives are plugged in they install or run malware such as a key logger with phone home capabilities.
Physical: Physical is the in person manipulation of the natural human tendency to trust. An example would be if there is a badge access only door to a building, and you show up during a busy time when people are frequently entering through that door, with a box of donuts, your brief case while on the phone, and getting someone in front of you to hold the door for your because "your hands are full"
These are a few of the most commonly used social engineering attacks and so with just that small glimpse into what doors social engineering can open, its astonishing that many organizations still conduct full security assessments and opt not to have the SE / Physical security tested.
Social engineering is an initial attack vector that can not only circumvent technological controls, but also be the initial phase in what may escalate into a full blown multi-vector attack.
If organizations are going to do complete or full penetration tests, and assessment there should be no reason to exclude SE and Physical. The value comes having a more holistic understanding of your security posture, threats, and associated mitigations. Funding spent on beefing up only technological security is money well spent of course, how ever it may be a wasted investment is an individual can walk into your facility unplug the device and just physically remove it from the premises.
I will be posting the www.social-engineering.org podcast as soon as its available.
