Methodology of information gathering and testing in social engineering

July 28, 2015 | Views: 2609

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Obtaining information for social engineering, or from the target organization knowingly made unwitting available.
As with anything should first be taken ethical considerations into account.To answer the question of whether the use of social engineering techniques as part of a penetration testing is acceptable , should first be shown why social engineering ever successful:
The techniques work because all people certain features or character have weaknesses that may be exploited. These include extremely positive properties as the tendency to pleasantries, moral sense of duty and willingness to help, but also less positive characteristics such as opportunism and the reluctance to accept responsibility.

As usually, among others, on the client’s employees directly influence is exercised in the use of social engineering techniques to their reliability and their safety awareness to check, this could cause discomfort to those affected. This could be all the more the case when social engineering techniques are carried out without notice and “resolved”.
The use of social engineering should therefore be considered very carefully. The tester has the authority in every case on the possible consequences from social engineering enlighten and outline that this technology without prior user training most likely successful will be rich, and that it then may result negative impact on the employees.

1. Information Gathering for Social Engineering
Test steps:
Analysis of the information on the website of the target organization
Analysis of information from print media or databases
Search newsgroups for email addresses of employees and Applications of the target organization that published in postings

Requirements:
Company name or name of the institution

Expected Results:
Identification of the relevant departments
List of persons working in the relevant departments Name, function descriptions, e-mail addresses of potential targets
Organization charts of the target organization with the various hierarchical levels and management positions (department heads, etc.)
Structure of e- mail addresses, internal mailing lists and typical sender of internal mailings

2. Information Gathering for computer based Social Engineering

Test steps:
Analysis of the target organization ‘s website for information on used operating systems and applications
Research by Job of the organization in terms inserted IT systems
Research in support forums for postings of employees of the target organization
Identification of the mail programs of the target organization / employees based on the header

Requirements:
Information on departments / people / organization, etc.

Expected Results:
List of IT systems and IT applications in the various departments be used

3. Information Gathering for personal Social Engineering

Test steps:
Analysis of the contact information on the website of the target organization
Analysis of contact and customer information from print media or databases
Observation of the building of the target organization
Identification of service companies through telephone inquiries


Requirements:
Information on departments / people / organization, etc.

Expected Results:

Listing of service companies , which are active for the target organization
List of important customers of the target organization
Information on the location of the various departments within the building.


Methods
1. Computer based social engineering

An attempt is made to take on a person influence to using appropriate computer technology Manipulation techniques, e.g. by exploiting by curiosity or helpfulness, system rights to obtain.

Test steps:
Contacting the target person via email
Target people deceive and to install special programs for example Keylogger
Target person by fake system messages for inputs from prompt user name and password

Requirements:
Information about target systems, applications and persons.
Expected Results:
Access to the network or systems of organization
List of system and application passwords

Risk:
The attack could be noted as such and trigger irritation among the target person.
The specific programs could interfere with the operation.

2. Direct, personal social engineering with physical access
An attempt is made by direct contact with a person (eg., by visiting ) that a privileged knowledge has to gain access to confidential information . In this case, for example attempts under pretense of a relationship of trust, the respondent to disclose information to move.

Test steps:
Personal contact with the target person (for example as a service technician, new employees, etc.)
Pretense of a relationship of trust to the respondent to move publication of information (for example the publication of a Key or disclosure of passwords)

Requirements:
Information about target systems, applications and persons.

Expected Results:
Relevant information such as passwords, system configurations, etc.

Risk:
The attack could be noted as such and trigger irritation among the target person. If it comes to the publication
of relevant information, could this circumstance after the penetration testing is dissolved and the subject is their misconduct is aware of the
strain relationship between the target person and target organization, especially when it comes to taking a
employee of the target organization.


3. Indirect, personal social engineering without physical access
An attempt is made through telephonic contact to a person who is a privileged knowledge has, to explore secrets. An attempt is made, for example, under pretense of relationship
of trust to move the target person into divulging information.
When the target person can it is about employee
The organization or other insider act. In this connection becomes the naivety the employee the target organization and their need involved and helpful to his utilized.


Test steps:
Contacting the target person by phone or e -mail
Pretense of a relationship of trust to the respondent to move publication of information (eg. issue as administrator, employee, remote supervisor etc.)

Requirements:
Information about target systems, applications and persons.

Expected Results:
Relevant information such as passwords, system configurations, etc.

Risk:
The attack could be noted as such and trigger irritation among the target person. If it comes to the publication of relevant information, could this circumstance after the penetration testing is dissolved and the subject is their misconduct is aware of the strain relationship between the target person and target organization.
(Especially when it comes to taking a
Employees of the target organization is)

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
10 Comments
  1. Or you could submit another article on this subject…go for it!

  2. such a poorly constructed article with no flow, clear with editorial errors

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel