We propose two methodologies for conducting a penetration test using social engineering. In both methodologies the goal of the test is to gain possession of a target asset. In the first methodology, the owner of the asset is aware that the test takes place. This makes the methodology suitable for tests where the owner is out of scope of the test, such as in tests assessing the security of the laptop belonging to the CEO or the security of equipment in storage areas. In the following sections, first we define the actors in the first methodology. Then, we introduce all events that take place during the setup, execution and after the penetration test. Finally, we validate the methodology by conducting three penetration tests and present some insights from the experience.
Actors in the first methodology A. Actors The penetration test consists of four different authors. Security officer - an employee responsible for the security of the organization. The security officer orchestrates the penetration test. Custodian - an employee who owns the assets, sets up and monitors the penetration test. Penetration tester - an employee or a contractor trying to gain possession of the asset without being caught. Employee - person in the organization who has none of the roles above. The majority of actors treat each other with respect. No respect relation between two actors means either the actors do not interact during the penetration test (for example between the tester and the custodian) or do not have a working relationship (between the penetration tester and the employee). In this methodology, the tester deceives the employee during the penetration test, presented in the figure with a red dashed line.
The sequence of events that take place during the setup, execution and closure of the penetration test. During all three stages of the penetration test, employees should behave normally. As in other penetration testing methodologies, before the start of the test, the security officer sets the scope, the rules of engagement and the goal. The goal is gaining physical possession of a marked asset. The scope of the testing provides the penetration tester with a set of locations she is allowed to enter, as well as business processes in the organization she can abuse, such as processes for issuing a new password, or processes for adding/removing an employee. The rules of engagement restrict the penetration tester to the tools and means she is allowed to use to reach the target. These rules, for example, define if the tester is allowed to force doors, to break windows or to use social engineering.
Things may sound simpler when in words, but the real task doers know the actuality.