Hello all-

Okay so I am working on updating our internal penetration testing procedures, looking through volumes of information, including this site, asking questions, including at this site, and I think I have a pretty good start, and I show my manager, and she say "What about Social Engineering?" And I says "Social Eee-yah?!? I'm not social, that's why I was in IT and now Auditing!" And she says "Shut yer yap, go find some information on it and make some procedures for us, ya mug!" So I says to myself, "Awright ya mug, go finds some information on Social Engineering." So I does. What I found, in terms of security and auditing, and I'm sure many security and auditing savvy people in this community already know this, is that Social Engineering is an area ripe for testing and strengthening.

As I already noted to you, I am not social, an engineer, nor do I claim to be an expert in this area of social engineering, I just want to share what I found so far, and if I find more information, or any of you have now or find, I would ask to add it as well. I found smarter people than I, there's about 6 billion of them, who wrote some good or not so good, depending on your opinion, papers on the subject. My goal is to become educated enough, write some procedures on testing and documenting in the area of social engineering, present that to my manager and team, let IT and IT Security know about it, and then during audits, start to test and see where it takes us.

At this point, well any point, I am open to suggestions or advice on this subject and how best to proceed, based on experience and/or knowledge. This is obviously not a new area of possible intrusion, however, after reading what I have so far come across, I believe people need to be aware of this avenue of possible attack and compromise and how best to defend against it. Beside saying "You'll neva get me schee!?!"

Links to Definitions of:

1. Wikipedia Defintion: http://en.wikipedia.org/wiki/Social_...uter_security)

2. Wikipedia Definition with Kevin Mitnick - with listings of his books: http://en.wikipedia.org/wiki/Kevin_Mitnick

Links to Articles/Papers on:

1. SANS Reading Room - Social Engineering: http://www.sans.org/rr/whitepapers/engineering/

2. SANS Reading Room - Social Engineering - "Social Engineering: Understanding and Auditing" - great paper: http://www.sans.org/rr/whitepapers/engineering/1332.php

3. Article/Short Paper on from Security Focus: http://www.securityfocus.com/infocus/1527

4. Network Security Library - okay paper: http://www.secinf.net/Network_Security/Social-Engineering-The-Weakest-Link.html

5. From ISACA (Information Systems Audit and Control Association) - "Social Engineering - A Tip of the Iceberg": http://www.isaca.org/Content/Content...he_Iceberg.htm

Also - I forgot before - if you do read one or more of these papers - you will obviously find out in no time, more resources on this subject matter, I did not want to repeat them here, unless they really stand out.

Also2 - Before engaging in this type, or any type of audit activity, ensure you have written permission to test and in most cases, inform IT and IT Security Management. (thanks to Aspman for the advice) There may be cases where you do not inform certain parties, however ensure you and/or your team is covered in case something goes wrong.

Thanks for your time.