Penetration testing and social engineering

Barrett, Neil

doi:10.1016/s1363-4127(03)00007-4

Cited by 32 publications

(24 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The first two justifications are general for penetration testing and its benefits, and have been discussed earlier in the literature (for example, Barrett [6]). The third justification states that the risk induced by the test should be no greater than the risks we face in daily lives.…”

Section: Figure 9: Evaluation Of Both Methodologiesmentioning

confidence: 99%

“…OSSTMM also does not consider direct interaction between the penetration tester and the employees. Barret [6] provides an audit-based methodology for social engineering using direct interaction between the penetration tester and an employee. Since this is an audit-based methodology, the goal is to test all employees.…”

Section: Related Workmentioning

confidence: 99%

“…The employees should not be stressed, feel uncomfortable nor be at risk during the penetration test, because they might get disappointed with the organization, become disgruntled or even start legal action. Finally, the penetration test should be repeatable, reliable and reportable [6]. We call these the R* requirements:…”

Section: Requirementsmentioning

confidence: 99%

See 2 more Smart Citations

Two methodologies for physical penetration testing using social engineering

Dimkov

Cleeff

Pieters

et al. 2010

Proceedings of the 26th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years.

show abstract

Section: Figure 9: Evaluation Of Both Methodologiesmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Two methodologies for physical penetration testing using social engineering

Dimkov

Cleeff

Pieters

et al. 2010

Proceedings of the 26th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

show abstract

“…The process of a social engineering attack consists of three phases: identify a potential target, data collection to understand and find weaknesses within the target and finally exploit the vulnerabilities identified [20]. This experiment followed the same phases.…”

Section: Proof-of-conceptsmentioning

confidence: 99%

The Dark Side of Web 2.0

Labuschagne

Eloff

Veerasamy

2012

ICT Critical Infrastructures and Society

View full text Add to dashboard Cite

Abstract. Social networking sites have increased in popularity and are utilized for many purposes which include connecting with other people, sharing information and creating content. Many people on social networking sites use these platforms to express opinions relating to current affairs within society. People do not realize the value of their data divulged on these platforms and the tactics implemented by social engineers to harvest the seemingly worthless data. An attack vector is created when a user can be profiled using responses from one of these platforms and the data combined with leaked information from another platform. This paper discusses methods for how this data, with no significant value to the users, can become a commodity to social engineers. This paper addresses what information can be deducted from responses on social news sites, as well as investigating how this information can be useful to social engineers.

show abstract

“…Researchers and organizations recognize that the employees are the weakest link in the organization [20,21,22]. Since the logs from the laptop thefts were insufficient to provide us with this information, we orchestrated a set of penetration tests where we used social engineering as a means to obtain a laptop.…”

Section: ) Limitation Of the Logsmentioning

confidence: 99%

Effectiveness of Physical, Social and Digital Mechanisms against Laptop Theft in Open Organizations

Dimkov

Pieters

Hartel

2010

2010 IEEE/ACM Int'l Conference on Green Computing and Communications &Amp; Int'l Conference on Cyber, Physical and Social Compu

View full text Add to dashboard Cite

Abstract-Organizations rely on physical, digital and social mechanisms to protect their IT systems. Of all IT systems, laptops are probably the most troublesome to protect, since they are easy to remove and conceal. When the thief has physical possession of the laptop, it is also difficult to protect the data inside. In this study, we look at the effectiveness of the security mechanisms against laptop theft in two universities. The study considers the physical and social protection of the laptops. We analyze the logs from laptop thefts in both universities and complement the results with penetration tests. The results from the study show that the effectiveness of security mechanisms from the physical domain is limited, and it depends mostly from the social domain. The study serves as a motivation to further investigate the analysis of the alignment of the mechanisms across all three security domains to protect the IT assets in an organization.

show abstract

Penetration testing and social engineering

Cited by 32 publications

References 0 publications

Two methodologies for physical penetration testing using social engineering

Two methodologies for physical penetration testing using social engineering

The Dark Side of Web 2.0

Effectiveness of Physical, Social and Digital Mechanisms against Laptop Theft in Open Organizations

Contact Info

Product

Resources

About