Problem solve Get help with specific problems with your technologies, process and projects.

Should social engineering tests be included in penetration testing?

Information security threats expert Ed Skoudis weighs the positive and negative aspects of allowing social engineering tests to be a part of the penetration testing process.

Should efforts to exploit social engineering be part of a penetration test? Is it ethical to do this?
The answer to this question is mired in controversy. Let me spell out the arguments of both sides of this sticky issue in as non-biased a fashion as I can. Then I'll offer my opinion on the matter.

Some security pros strongly believe that social engineering tests should never be part of a penetration test. The reasoning is that security personnel need to cultivate deep trust with all employees in their enterprise.

Without this trust, these employees may ignore the security advice from people who have duped them in the past as part of a social engineering exercise during a penetration test. Worse yet, employees who are found to be lacking good security practices during such a test may passively or actively undermine other security initiatives, poisoning the well of goodwill needed to improve security throughout an organization.

On the other side of this issue, some argue that ensuring employees understand and follow sound security practices is just as vital, if not more vital, than an organization's technical architecture and configuration. Even if there were such a thing as perfectly secure technology (which there isn't), a user who doesn't engage in solid security practices could undermine the entire organization. And if employee practices can't be measured, how can it be determined if they are any good? One of the best ways to measure security practices is to throw staged social engineering attacks against a target organization to see how they respond. Such tests give us a better real-world view of employee actions than a survey or quiz, where employees always respond as though they were model citizens.

While I have immense respect for both sides of this argument, I tend to side with the second camp. Social engineering tests can be highly revealing, showing flaws in the security awareness program of a target organization. Specific findings can help the organization create better awareness in a quick and cost-effective manner. However, such tests must be conducted with extreme care and professionalism. Before starting any social engineering tests, be sure to:

  • Scope out what will be tested and create a script with specific pretexts.
  • Be sure management agrees in advance that specific employee names will not be mentioned in the final report. Instead of seeking individuals to burn, the test should be focused on identifying organizational weaknesses with recommendations for improvement across the employee base.
  • Document all interactions during the test, but don't include employee names in the final report.
  • Consider whether your organization has the expertise to manage this kind of testing, or if it should hire a third party.

For more information:

  • Learn why senior level executives are a target for social engineering attacks, and how to increase security awareness among them.
  • In this Q&A, Ed Skoudis reviews the actions of a mail server when it is presented with a bogus email address.
  • This was last published in April 2008

    Dig Deeper on Security Awareness Training and Internal Threats-Information

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.