Social Engineering Links and Information

[genXer]

Hello all-

Okay so I am working on updating our internal penetration testing procedures, looking through volumes of information, including this site, asking questions, including at this site, and I think I have a pretty good start, and I show my manager, and she say "What about Social Engineering?" And I says "Social Eee-yah?!? I'm not social, that's why I was in IT and now Auditing!" And she says "Shut yer yap, go find some information on it and make some procedures for us, ya mug!" So I says to myself, "Awright ya mug, go finds some information on Social Engineering." So I does. What I found, in terms of security and auditing, and I'm sure many security and auditing savvy people in this community already know this, is that Social Engineering is an area ripe for testing and strengthening.

As I already noted to you, I am not social, an engineer, nor do I claim to be an expert in this area of social engineering, I just want to share what I found so far, and if I find more information, or any of you have now or find, I would ask to add it as well. I found smarter people than I, there's about 6 billion of them, who wrote some good or not so good, depending on your opinion, papers on the subject. My goal is to become educated enough, write some procedures on testing and documenting in the area of social engineering, present that to my manager and team, let IT and IT Security know about it, and then during audits, start to test and see where it takes us.

At this point, well any point, I am open to suggestions or advice on this subject and how best to proceed, based on experience and/or knowledge. This is obviously not a new area of possible intrusion, however, after reading what I have so far come across, I believe people need to be aware of this avenue of possible attack and compromise and how best to defend against it. Beside saying "You'll neva get me schee!?!"

Links to Definitions of:

1. Wikipedia Defintion: http://en.wikipedia.org/wiki/Social_...uter_security)

2. Wikipedia Definition with Kevin Mitnick - with listings of his books: http://en.wikipedia.org/wiki/Kevin_Mitnick

Links to Articles/Papers on:

1. SANS Reading Room - Social Engineering: http://www.sans.org/rr/whitepapers/engineering/

2. SANS Reading Room - Social Engineering - "Social Engineering: Understanding and Auditing" - great paper: http://www.sans.org/rr/whitepapers/engineering/1332.php

3. Article/Short Paper on from Security Focus: http://www.securityfocus.com/infocus/1527

4. Network Security Library - okay paper: http://www.secinf.net/Network_Security/Social-Engineering-The-Weakest-Link.html

5. From ISACA (Information Systems Audit and Control Association) - "Social Engineering - A Tip of the Iceberg": http://www.isaca.org/Content/Content...he_Iceberg.htm

Also - I forgot before - if you do read one or more of these papers - you will obviously find out in no time, more resources on this subject matter, I did not want to repeat them here, unless they really stand out.

Also2 - Before engaging in this type, or any type of audit activity, ensure you have written permission to test and in most cases, inform IT and IT Security Management. (thanks to Aspman for the advice) There may be cases where you do not inform certain parties, however ensure you and/or your team is covered in case something goes wrong.

Thanks for your time.

[Aspman]

You've already got Mitnick down.
Bruce Schneier covers SE in his books (Secrets and Lies anyway) but with other things.
http://www.schneier.com/books.html

Ask Gore, he's a student of SE.

A lot of it is common sense if you just think about it and the only real defense is user awareness and training.

Do it yourself, phone up staff from a cell phone and try to conn their passwords out of them.

Tuck your pass in a pocket wander round and sit at other peoples desks. Tailgate people into work without using your pass.

Remember to get a "get out of jail" pass in writing from senior management before you go playing though. You'll piss people off and scare them even if it is for their own good.

[genXer]

Remember to get a "get out of jail" pass in writing from senior management before you go playing though. You'll piss people off and scare them even if it is for their own good.

Thanks Aspman for your feedback and information, along with the above sound advice. I have updated my original post to further reinforce that point.

[J4NK]

You got a good start but here are some more,

SE kiddie Forum
http://www.socialengineering101.com/

More Tech side of SE
http://www.isoc.org/isoc/conferences...gs/3g/3g_2.htm

An old article but still worth reading
http://cybercrimes.net/Property/Hack...PsySocEng.html

Security focus articles
Part 1
http://www.securityfocus.com/infocus/1527
Part 2
http://online.securityfocus.com/infocus/1533

Just for the hell of it, The tech side of phising
http://www.honeynet.org/papers/phishing/


The pyramid of Social Engineering: Attitude, Knowledge, and Perception.

[genXer]

Great - thanks J4NK for the additional information!

And like a knob - I forgot to check for already exisiting documentation here on the site, ok, actually I did, just did it wrong. Anywho, this is what has been already discussed before - starting from oldest to newest - ah yeessssssssssss!

1. http://www.antionline.com/showthread...hreadid=240028 Last update: 14.02.2003

2. http://www.antionline.com/showthread...hreadid=244188 Last update: 26.05.2003

3. http://www.antionline.com/showthread...hreadid=251805 Last update: 05.12.2003

4. http://www.antionline.com/showthread...hreadid=252395 Last update: 15.12.2003

5. http://www.antionline.com/showthread...hreadid=257966 Last update: 22.05.2004

6. http://www.antionline.com/showthread...hreadid=270602 Last update: 16.09.2005

My apologies for that, however, had I posted on an older thread, I would have most likely been negged from here to Mars, and I would rather save those occasions for when I stick my whole leg in my mouth, not just my foot.

Also - my "Auditor Sense" is kicking in - was the following from "The Specialist" or one of his alter-egos?

Ask Neg instead. He's been the victim of the equivalent of a 419 scam.
And Gore has never admitted that he looks up to me.

Thanks again all.

[MrBabis]

About Phishing and Pharming that is also related to social enginering.

Here is difinitions of them in wiki:
http://en.wikipedia.org/wiki/Phishing
http://en.wikipedia.org/wiki/Pharming

[J4NK]

I forgot about this one

http://www.usps.com/postalinspectors/dvdorder.htm

Free DVDs on all types of fraud and SE related subjects from the USPS.