Two methodologies for physical penetration testing using social engineering

Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years.

[1]  Christopher Soghoian Legal risks for phishing researchers , 2008, 2008 eCrime Researchers Summit.

[2]  Mikko T. Siponen,et al.  Overcoming the insider: reducing employee computer crime through Situational Crime Prevention , 2009, CACM.

[3]  D. Cornish THE PROCEDURAL ANALYSIS OF OFFENDING AND ITS RELEVANCE FOR SITUATIONAL PREVENTION , 1994 .

[4]  D. A. Elliott Opportunities , 2020, Journal of the American Institute of Electrical Engineers.

[5]  S. Berg Snowball Sampling—I , 2006 .

[6]  V. Weil,et al.  Research Ethics: Cases and Materials , 1995 .

[7]  Matt Bishop,et al.  About Penetration Testing , 2007, IEEE Security & Privacy.

[8]  Neil Barrett,et al.  Penetration testing and social engineering: Hacking the weakest link , 2003, Inf. Secur. Tech. Rep..

[9]  D. Baumrind,et al.  Research using intentional deception. Ethical issues revisited. , 1985, The American psychologist.

[10]  Colin Greenlees An intruder's tale - [it security] , 2009 .

[11]  Sec.,et al.  PART 50—PROTECTION OF HUMAN SUBJECTS , 2000 .

[12]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[13]  Wil Allsopp Unauthorised Access: Physical Penetration Testing For IT Security Teams , 2009 .

[14]  Sven Türpe,et al.  Testing Production Systems Safely: Common Precautions in Penetration Testing , 2009, 2009 Testing: Academic and Industrial Conference - Practice and Research Techniques.

[15]  Daniel Geer,et al.  Penetration testing: a duet , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[16]  Markus Jakobsson,et al.  Designing ethical phishing experiments , 2007, IEEE Technology and Society Magazine.

[17]  D. Cornish OPPORTUNITIES, PRECIPITATORS AND CRIMINAL DECISIONS: A REPLY TO WORTLEY'S CRITIQUE OF SITUATIONAL CRIME PREVENTION , 2003 .