Some security pros strongly believe that social engineering tests should never be part of a penetration test. The reasoning is that security personnel need to cultivate deep trust with all employees in their enterprise.
Without this trust, these employees may ignore the security advice from people who have duped them in the past as part of a social engineering exercise during a penetration test. Worse yet, employees who are found to be lacking good security practices during such a test may passively or actively undermine other security initiatives, poisoning the well of goodwill needed to improve security throughout an organization.
On the other side of this issue, some argue that ensuring employees understand and follow sound security practices is just as vital, if not more vital, than an organization's technical architecture and configuration. Even if there were such a thing as perfectly secure technology (which there isn't), a user who doesn't engage in solid security practices could undermine the entire organization. And if employee practices can't be measured, how can it be determined if they are any good? One of the best ways to measure security practices is to throw staged social engineering attacks against a target organization to see how they respond. Such tests give us a better real-world view of employee actions than a survey or quiz, where employees always respond as though they were model citizens.
While I have immense respect for both sides of this argument, I tend to side with the second camp. Social engineering tests can be highly revealing, showing flaws in the security awareness program of a target organization. Specific findings can help the organization create better awareness in a quick and cost-effective manner. However, such tests must be conducted with extreme care and professionalism. Before starting any social engineering tests, be sure to:
- Scope out what will be tested and create a script with specific pretexts.
- Be sure management agrees in advance that specific employee names will not be mentioned in the final report. Instead of seeking individuals to burn, the test should be focused on identifying organizational weaknesses with recommendations for improvement across the employee base.
- Document all interactions during the test, but don't include employee names in the final report.
- Consider whether your organization has the expertise to manage this kind of testing, or if it should hire a third party.
For more information:
This was first published in April 2008