now, assuming that I've gotten sign off from senior management, I know our purpose. I've got the rules of engagement. Generally, when we talk about penetration testing their three main steps that I go through, I go through reconnaissance, that I conduct the tests and then I report on the material.
Now I will mention that any time there's a significant
vulnerability that's detected, I need to halt the testing and alert senior management. So if I worked for financial industry and I found a vulnerability that could cause customer financial data to be leaked to attacker, we gotta stop. Go immediately to senior management
for any of those significant security issues.
Now, with reconnaissance, reconnaissance is all about what can I learn about your company from publicly available sources? And the answer is a lot. I can learn a lot about your organization from the Internet, and there are 1,000,000 different places to go. You know, there are, um,
there's who is having the Internet that will tell me your domain name, and that may be common information.
I confined store numbers, branch numbers, uh, management, contact information. A lot of times I can see the the chief officers of your organization. I can look at job sites where you're requesting to hire a juniper technician, and that gives me an idea
of what systems you have. Or maybe you need a
a UNIX bind. Administrator. So now I know that you're running UNIX. Um, I can find all sorts of information out on the Web about your organization.
Most of this. The whole purpose is to use in a social engineering attack because that's the easiest way for me to get access to your network. Let me call. Let me, um, build up trust with one of your employees. Let me get one of your employees to install some software that I send them on his or her computer.
let me get in on employees to let me have access to the building or give me password information. I know what we're thinking is surely no employees that works for me would ever disclose passwords to a system. You'd be surprised.
The whole purpose of social engineering is for me to gain information as if I'm a trusted entity in the more ways that I can convince you that I am trusted and I am trustworthy. The more ways I can authenticate to you that I'm legitimate, the more likely I am to be successful.
So, for instance, if I look a publicly available sources
and I find out that you have a story in Tampa in that store store 54 19
and I've got the phone number, I'm gonna call you up and say, Hey, this is Kelly from store 54 19 the Tampa office. I need some information from you.
All right. Now, without even you really thinking about it, I've just given you some jargon that on Lee, an internal employee would know that store number. You look down at your phone and you see the phone number from the Tampa location. I've just sort of legitimized myself.
Now it's easy for anybody to find the store number. You go out, look at any receipt you get. You'll see this store number up at the top,
uh, full number spoofing with smartphones. Very, very easy to make it look like a call comes from a certain phone number. But all of these little ways, I'm just very subtly planning in your mind. You can trust Kelly
Trust Kelly. She has a right to know the information she would ask.
And then there lots of other tricks social engineers use. You know, we come across with the sense of urgency. Listen, I know it's four o'clock on a Friday afternoon. You're the only person I can get ahold of, and we've got to make this happen now.
Never underestimate flattery.
Listen, John Smith told me to call you. He said you were the only person in your department that can get something done. I hope that's true, because I really need to make this happen by close of business.
I've always known I was the only person in this department who could get anything done. Now, I've just had somebody else confirmed that, and they just told me that my boss knows that as well. I'm feeling pretty good. As matter of fact, I'm feeling in the mood to disclose some confidential information right now.
So social engineers have the full spectrum of tricks in their bag. They're very polished. These are the folks that would make very good sales people. Very good content is my friend. They are con artists. And I can't tell you how many times I've seen people give out sensitive information.
And then when you confront him with that, they say, Well, they were just so nice.
You know, the Today show, um, hired a security firm to set up a little kiosk at the mall, and they had a banner that essentially said, 0% interest. First year, no annual fee. Uh, and if you think about it
and I think they had something like 95 people apply the first day that kiosk was at the mall. And think about the information that you fill out when you apply for a credit card. I mean everything. Your Social Security number, your financial history. You might give him your checking account number, your personal information.
And, you know, they were very smart, because think about it. They were targeting college students, and they were targeting college students for a couple of reasons. They tend to not have much experience out in about. They tend to be a little bit more naive, a little bit more willing to give over that information, but another reason.
So we're getting all their financial information, hopefully with the idea of identity theft
and, you know, maybe, uh, setting up a real credit card in that person's name, and we would use that for our own purchases. Often, college students haven't had time to wreck their credit yet. So now I have all these people with these brand new, clear credit histories
that are a little bit more naive than perhaps folks that have been seasoned and have been around for a while
and just person after person coming in filling out financial information, Social Security numbers. And, like I said when they were queried afterwards, you know, didn't you think that was? Weren't you a little bit concerned about giving that personal information?
And the number one answer was, Yeah, I felt a little weird, but they were so nice, I really felt comfortable with people I was dealing with,
You know, criminals very rarely, where the mask and walk around scowling. Today's criminals are very savvy, with very high social skills. As a matter of fact, one of the articles I was recently reading is organized Crime has found it infinitely more profitable to be involved with identity theft,
as have gangs. A lot of games that have made their money traditionally with dealing with street crime and drugs, have found that it's much safer to move inside, get behind a computer, to commit theft, to gain profit or to make profit with a lot less risk. So this is a
huge criminal industry,
and social engineering is the greatest vulnerability that we have. Somebody in your organization is gonna give out more information than they should
conduct audits. Do your vulnerability assessments in your pen tests, hold your people accountable for what you find. The whole purpose of reconnaissance is for me to gather up information so I can legitimize myself to a user so that they trust me. If they trust me,
they're gonna give me access to a system, either by giving me a password
or I'll say, Listen, I have this document I gotta send to you. Can you take a look at it and see if it's accurate?
Well, you open up that document that also installs backdoor software, perhaps on your system. So
ultimately, what I'm trying to do is get a toehold on your system. Reconnaissance is a good way to do that. Now, as a vulnerability assessor, a pen tester, I'm gonna then conduct my testing. What can I exploit? What can I access? What could be compromised? And then, of course, I'll conduct a report on that information