This is actually a very interesting debate.
Just to introduce if you don’t know..
What is Penetration Testing
A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious cracker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.
What is Social Engineering
It’s a bit cheesy, but we often call this hacking the wetware (hardware, software and wetware meaning people).
Social Engineering is a form of intrusion making use of weaknesses in the non-technical aspects of the system, the wetware also known as people. A common phrase would be ‘Con man’, the most well-known form of social engineering. In the technological realm, social engineering relates to unauthorized access of computing resources or network by exploiting human weaknesses.
In the historical sense, con men would engineer their way into certain resources, someone’s bank account, shoe box under the bed and so on. In this context, the social engineer would target someone that is authorized to use the network or resource they wish to access and attempt to leverage some confidential information out of them that would compromise the network security.
This is what Mitnick was famous for, and what his book The Art of Deception is about.
I’ll probably cover this later.
Does Social Engineering have a place in Penetration Testing?
Some people say yes, it’s the most effective way..Actually, I’ve found this true, the human element and the lack of education in the workplace is often the weakest link in the chain.
Does it have any place in security testing, I would say definitely yes. Some people would say perhaps it should be a separate project, not in the ‘technical’ assessment of a security perimeter.
Or course it depends on the scope given by the client, but it should be part of any good Penetration Test or Vulnerability Assessment.
Why Social Engineering Should be in a Pen Test
For me whatever you do to get into the network, or escalate your access is part of a pen-test. If you are able to get users to divulge some kind of information that assists you in compromising or gaining access to something, then you are doing exactly what a real attacker would have been able to do. You might be able to trick them into telling you something via phone or e-mail, get them to physically do something like open a door or unlock a machine or get them to run an executable or disable a firewall. You might be able to get them to do under false pretences, through their own ignorance or carelessness, or by other means. Whatever you do can be considered part of a pen-test.
Many recent studies have shown people are still incredibly gullible and especially when presented with a ‘Free CD‘ or something, they will happily put it in their drive and run it.
This means, in reality, social engineering is an easy option to attack a network no problem of IDS, no fear of being tracked by log analysis while attacking. Some attackers try to take out the information of the network and internal devices by calling the IT staff and pretending like a sales guy who is trying to sell a log analyzer or IDS. They will often say “No we don’t need a new Firewall we already have a Cisco PIX”.
Why Social Engineering Shouldn’t be in a Pen Test
Some would say social engineering is an altogether a different game, the pen testing results could be used to socially engineer someone within the company, perhaps an extension of the pen-test rather than a part of it.
The target of the pen-test might be in a physically different location (Makes the SE more difficult) or the native language of the target may be different (Makes the SE pretty much impossible).
Some people say don’t bother, because you WILL succeed with social engineering.
The main problem being technical testing is fairly scientific, you can apply metrics to it, you can measure it and you can track its effectiveness.
With social engineering, it’s still pretty much an art form and totally differs from person to person, it’s very hard to be scientific when it comes to conning people. Social Engineering may well be left out by large corporations unless it can be scientifically defined and metrics applied to it.
Things to Keep in Mind
However, there are a few important things to keep in mind. You want to definitely lay down the ground rules with whomever it is you are pen-testing for. They might just want to see what machines an exploit can break into. You might really upset some people and get in trouble if you start trying to gain physical access or send trojans to executives. Make sure they are aware of what you are doing and that you have approval. Get everything in writing or in your agreement somewhere.
Also there are many questions to be answered before doing an SE test – questions of legality, ethics and possible personal consequences for the people who were “duped”. These have to be taken into consideration and could mean the social engineering part is not possible.
Please bear in mind the welfare of the employees too, consider also adding a clause that protects the end-user from getting fired. Human nature is to be helpful, the problem is a lack of education, not a mistake from the user.
Social Engineering, you can include it or not based on the above information, if you don’t include it, you can always demonstrate it for information purposes to the management team or contact of the target organisation.
References: Discussion on SF Pen Test List