Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Pen Test with SE

  1. #1
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Pen Test with SE

    Here's an interesting write-up on a pen test that included a physical assessment where social engineering and role playing were a huge part.

    http://www.darkreading.com/blog/arch...05/post_1.html
    Thorn
    Stop the TSA now! Boycott the airlines.

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    WOW !!
    Not sure if that is completely true or not but I do remember that episode. Actually I was laughing the entire time I read it. Thinking this is some sort of joke.

    Within this short period of time, he was participating in birthday parties, pot luck lunches, and numerous other social events. Additionally, Bob was frequently seen rummaging through filing cabinets
    I always wondered if some one ( well If I) could get away with something like that. It once again proves that the human element is the weakest.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by archangel.amael View Post
    WOW !!
    Not sure if that is completely true or not but I do remember that episode. Actually I was laughing the entire time I read it. Thinking this is some sort of joke.



    I always wondered if some one ( well If I) could get away with something like that. It once again proves that the human element is the weakest.
    I see this as another problem, which would be the breakdown of communication between departments, or just lack of caring to communicate from certain departments, a problem I deal with here all the time. HR hires a person and doesn't notify IT of the new hire until they person is on the property.

    In this particular case, the person wasn't hired, but was still present. So that tells me it's quite common for new people to just appear out of the blue and the rank and file employees don't seem to think it's odd. Which tells me HR isn't doing their job of letting anyone know when new employees start.

    This also shows a big problem with their IT structure. He should have never been able to plug in at an empty cubicle and get connected. Unused ports should be disabled at the switch, and if that cannot be done, disconnected at the patch panel.

    Overall the main failing in this is the complacency of the average employees in the trust of the guards at the front door. Their assumption is that if someone is there in a cubicle, they must be ok because the guard let them through. No one seemed to question his attire or the fact that he wasn't formally introduced to the staff by HR or the hiring manager.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by streaker69 View Post
    I see this as another problem, which would be the breakdown of communication between departments, or just lack of caring to communicate from certain departments, a problem I deal with here all the time. HR hires a person and doesn't notify IT of the new hire until they person is on the property. In this particular case, the person wasn't hired, but was still present. So that tells me it's quite common for new people to just appear out of the blue and the rank and file employees don't seem to think it's odd. Which tells me HR isn't doing their job of letting anyone know when new employees start.
    I find it simply amazing that such things can happen, I guess it comes from the fact the only job that I have had were someone wasn't wanting to see an I.D. card was when I spent a few months working at McD's. It's kind of hard especially post 9/11 to get onto a military base without the proper identification.
    Actually it is a Pain in the &$$.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by archangel.amael View Post
    I find it simply amazing that such things can happen, I guess it comes from the fact the only job that I have had were someone wasn't wanting to see an I.D. card was when I spent a few months working at McD's. It's kind of hard especially post 9/11 to get onto a military base without the proper identification.
    It has happened to me 4 times in the past 6 months. It's really frustrating when a you see someone that you don't know sitting down at a machine. I've kvetched about it every singled time it's happened, and the HR tick still gets away with it.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Has been a nice read, thanks for sharing it with us.
    Tiocfaidh ár lá

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by streaker69 View Post
    It has happened to me 4 times in the past 6 months. It's really frustrating when a you see someone that you don't know sitting down at a machine. I've kvetched about it every singled time it's happened, and the HR tick still gets away with it.
    Sounds like someone in HR needs to be reprimanded!
    Well actually all HR people need to be fired!
    There has to be a way to automate that job field.
    We can make robots that build widgets and put good people out of work, but not one to get rid of those scum suckers.
    /end anti-HR rant.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  8. #8
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    I don't agree with the "HR need to be fired" thingy. The problem is that they never cared about security before, and will probably start now, but heck, where are they going to hire an ITSEC professional? You guessed it, they will post a job offer, with the requirement of a university degree and CEH & CISSP certs. The idiot they hire will do the same job as he is he is not there, and next pentest will show same thing. Which is a good thing for us pentesters, ain't it?

  9. #9
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by xorred View Post
    I don't agree with the "HR need to be fired" thingy. The problem is that they never cared about security before, and will probably start now, but heck, where are they going to hire an ITSEC professional? You guessed it, they will post a job offer, with the requirement of a university degree and CEH & CISSP certs. The idiot they hire will do the same job as he is he is not there, and next pentest will show same thing. Which is a good thing for us pentesters, ain't it?
    It isn't a matter of security, although that's a big part of it. It's a matter of common courtesy. If a new employee is going to be working, they should be introduced at a minimum to their team and at most to other employees, depending upon size of the company of course. It's also courtesy to let IT know that someone new is starting so that they can prepare for their arrival and not have to drop everything they're doing to setup user accounts and such when they suddenly see someone new at a desk.

    If the employees of the article were used to getting introduced to new employees when they started, then they would have thought it strange that they weren't introduced. Whispers would have started going around and eventually management would have realized there was something wrong. The lack of common courtesy in this case lead to a big security breach.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  10. #10
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by streaker69 View Post
    It's also courtesy to let IT know that someone new is starting so that they can prepare for their arrival and not have to drop everything they're doing to setup user accounts and such when they suddenly see someone new at a desk.
    This is a common problem, and it has a simple solution. "The setup of network and email accounts is a time consuming procedure. Due to the time demands on the IT staff, any requests for new accounts MUST be requested scheduled a minimum of two business days in advance to allow us to fit it into the IT schedule. Thank you."

    That gets sent to the offending HR drone, the head HR drone, and all the bosses up the chain of command as is required. If you do that several times, the HR drones will get the idea, especially if you refuse to drop everything to get the new accounts on line, and schedule it one or two days later.

    Some things that also help with this:
    • A "help desk" database that is capable of receiving email. (I like Spiceworks for SMBs. A help desk gives HR (and others) a place to formally request actions be taken.
    • A written policy that states the two business day requirement.
    • Tracking the number of times that HR pulls this kind of crap and reviewing quarterly it with your boss.


    If that doesn't work, be a BOFH and set up a filter on the email server to forward all pr0n and viagra ads to the HR drone's boss, and then tell him, "Fix it? Sorry, no can do. No time. Too busy doing unscheduled new user accounts."
    Thorn
    Stop the TSA now! Boycott the airlines.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •