A lot of penetration testing assignments include the famed Social Engineering test. When reading about it, or looking the social engineering scams on a TV series it looks very straightforward - you come in all nice and smooth-talking and every door opens for you.
The harsh reality is that a lot of social engineering penetration tests fail, which adds up to increased costs and a failed engagement for the consultant. In the extreme situation, you may spend some hours in the offices of corporate security or even the police, until the pen-test authorizations are verified.
Here are the most common ways to fail a Social Engineering Penetration Test
- Come unprepared - Just walking into a company and asking for confidential documents sounds stupid. But trying to perform a social engineering attack on your first visit is even more stupid. Until you do proper amount of recon and research you have no idea what the company relationships are, who is in charge of what and what exceptions or processes may be used to succeed in a social engineering attack.
- Just Wing It - Wake up call- you are not Frank Abagnale from "Catch Me if You Can" and you are not Danny Blue from the TV series "Hustle". During a social engineering attack you need to think on your feet and being creative always counts. But not preparing a background story supported by a nice set of evidence is a great way to fail a social engineering pen-test
- Be outright aggressive or arrogant - Nobody likes people who are bossy and arrogant. While having an air of authority helps during a social engineering attack, you don't want to start from position of authority with an aggressive approach. That is the best way to get people to close up in the cocoon of procedures and regulations, or they'll simply call your bluff - in both ways you fail. Instead, you need to be friendly, courteous and polite. Maintain your air of authority, but never overuse it.
- Choose the wrong person for the job - Social engineering is achieved through appealing to the people's urge to help others. But certain profiles of targets tend to be more helpful to different persons. For instance, a target group of young men will be very helpful to a nice looking woman of their approximate age or just a bit older - to maintain the advantage of implied authority through the age difference. But this same woman is considered a threat by target groups of young women, so for them you need to choose a different attacker. The same principle applies to phone based social engineering attacks.
- Dress for failure - In social engineering, always remember that clothes make the man. If you perform a social engineering attack on a bank, you don't want to appear in jeans and sneakers. But if you are performing a social engineering on a software development company, you may actually miss by a mile by wearing suit and tie. Go back to point 1 about preparation :)
Have any more ways to fail, or good examples? Share in the comments!
3 Things no book about hacking will ever tell you
5 biggest mistakes of information security
3 rules to keep attention to detail in Software Development
5 Rules to Home Wi-Fi Security