Page 1236 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1236
attackers use these tools.
Social-engineering techniques are often used during penetration tests.
Depending on the goal of the test, the testers may use techniques to
breach the physical perimeter of an organization or to get users to
reveal information. These tests help determine how vulnerable
employees are to skilled social engineers, and how familiar they are
with security policies designed to thwart these types of attacks.
Social Engineering in Pentests
The following example is from a penetration test conducted at a
bank, but the same results are often repeated at many different
organizations. The testers were specifically asked if they could get
access to employee user accounts or employee user systems.
Penetration testers crafted a forged email that looked like it was
coming from an executive within the bank. It indicated a problem
with the network and said that all employees needed to respond
with their username and password as soon as possible to ensure
they didn’t lose their access. Over 40 percent of the employees
responded with their credentials.
Additionally, the testers installed malware on several USB drives
and “dropped” them at different locations in the parking lot and
within the bank. A well-meaning employee saw one, picked it up,
and inserted it into a computer with the intent of identifying the
owner. Instead, the USB drive infected the user’s system, granting
the testers remote access.
Both testers and attackers often use similar methods successfully.
Education is the most effective method at mitigating these types of
attacks, and the pentest often reinforces the need for education.
Protect Reports
Penetration testers will provide a report documenting their results,
