Can Penetration Testing Take On Social Engineering?

you need to test your organisation’s security. But social engineering tests aer an ethical minefield, says Eric Doyle

I was at the excellent Security B-Sides conference at the not-so-excellent Barbican in London last week. As this event grows, it could become an accurate indicator of what is really on the minds of IT security professionals. Every talk has been proffered and voted on by attendees before it makes the conference schedule.

The main topic this year appears to be social engineering – or maybe the speakers influenced the vote by employing their skills. It was during one of these presentations that my ears pricked up at the mention of the five Ws: Who, What, When, Where, Why (as well as the sixth member, How).

Journalists are social engineers

These are the first words most news journalists hear when they embark on their career as well as the last words heard by the unsuccessful reporter each word is punctuated by a crushing blow from a rolled up newspaper held in the hands of an irate news editor (are there any other kinds of news editor?)

As Gavin Ewan’s talk progressed, I came to the realisation that we “gentlemen” of the press are nothing more than social engineers skilfully teasing winkles of information from the shell of reticence. OK no great revelation there. But it does underline that the skills exist in many people to become penetration testers for what is the most prominent and pernicious threat facing any company today.

The skills Ewan outlined also included a good deal of psychobabble (which he admitted to) and filtered the terms into things we’ve all seen and heard. Perhaps the best social networkers are to be found in the marketing department and it is there that the new breed of pen tester might be found. They have the social skills – if not the breeding – to win people over.

Mirroring and feigning interest in a target’s core values, using the autosuggestive tricks of Derren Brown, and a host of other subtle methods to make people buy into something they would not have done a minute or two ago or to divulge information they wouldn’t normally reveal.

The idea of pen testing the network using social engineering is gaining force because it is becoming the most common entry point for a hacker and it is also the least expensive self-diagnostic security test available. Or, at least, it is when you find the right person to do the test.

Is social pen testing ethical?

The fly in the ointment is the ethical aspect. The test is no longer a mere technical process but an actual attempt at manipulating employees. That’s a tough one to argue to with the Human Resources department – those who often know more about anyone in the company and have a duty to uphold the workers’ rights – on a good day.

HR will probably have to be informed before any test is done and that means they must also be exempt from the process where surprise is the main tool. Which leaves a massive hole in the pen test. If I was planning a silver-tongued assault on a company, HR would be a good source of information to hack into.

However, the weak links should be sought out and be embarrassed to the point where they will be more careful in the future. Not publicly humiliated as in the old Candid Camera TV show and its subsequent imitators, but made to realise when to hang up on a caller or when to end an email correspondence.

Social engineers are learning their craft. Ewan himself is using his Masters Degree in Psychology and Economics to develop a “social engineering framework”. We not only need pen testing for this threat but also staff training courses on resisting being taken for a ride.

How well do you know Internet security?  Try our quiz and find out!