CS Penetration Testing & Social Engineering
Penetration Testing & Social Engineering
As a preventative approach, penetration testing aims to find weaknesses in organizations and services before other attackers do.
Penetration testing is available in a variety of contexts, including:
- Web applications. There are new web-applications developed and released.
- Network and Infrastructure. Many applications are not a web-application, but instead uses other protocols. These organization applications can reside both externally and internally.
- Inside testing / Infected computer simulation. What if a user receives malware on their system? This would be nearly equal to an attacker having hands-on-keyboard on that system, posing a serious risk to any organization.
- External Organizational Testing. A test which holds within the entire organization as scope for the penetration testers. This is ideal, but often involves having their own internal penetration testing team to focus on this long-term, or high costs involving hiring an external team to do this test.
- Stolen Laptop Scenario. Further described in our scenarios below.
- Client Side Applications. Many applications exists in an enterprise written in different languages such as C, C++, Java, Flash, Silverlight or other compiled software. A penetration test could focus on these assets too.
- Wireless networks. A test which serves to figure out if the WIFI can be broken into, if devices have outdated and vulnerable software, and if proper segmentation has been built between the wireless network and other networks.
- Mobile applications (Android, Windows Phone, IOS). Mobile applications can have vulnerabilities in them, and also include connections and references to systems hosted inside the enterprise. Mobile applications can also hold secrets such as API keys which can easily be taken advantage of by attackers.
- Social Engineering. Further described in our scenarios below.
- Phishing and Vishing. Further described in our scenarios below.
- Physical A penetration testing team could try to see what happens if they show up at a location with a laptop and plugs into a network connection. Physical attacks can also include other kinds of covert attacks against locations.
- ICS (“Industrial Control Systems”) / SCADA (“Supervisory Control And Data Acquisition”). These systems typically controls some of the most vulnerable and critical assets in organizations, and as such they should receive scrutiny.
No-knowledge, Partial-knowledge and Full-Knowledge Penetration testing
The organization may choose to provide information to the penetration testing team based on the terms of the agreement. A no-knowledge penetration, also known as a black-box penetration, suggests that the attacker is not provided with any prior knowledge. With a full-knowledge penetration test, also known as a white-box test, the penetration testers have access to all the necessary information, including source code, network diagrams, logs, and more. Partial-knowledge penetration tests, also known as grey-box tests, provide the attackers some knowledge.
The penetration testing team can offer greater value the more information an organization can share.
Stolen Laptop Scenario
Demonstrating the ramifications of a lost or stolen laptop makes for an excellent penetration test scenario. Attackers may be able to access the target organization by using the privileges and credentials that are present on the system.
Even though the system is password-protected, there are a number of ways for attackers to get around its security. As an illustration:
- The systems hard-drive might not be fully encrypted, allowing an attacker to mount the hard-drive on their own system to extract data and credentials. These credentials could in turn be cracked and re-used across many of the organizations login pages.
- The user might have locked the system, but a user is still logged in. This user has applications and processes running in the background, even if it is locked. The attackers could try to add a malicious network card to the system via for example USB. This network card tries to become the preferred way for the system to reach the internet. If the system uses this network card, the attackers can now see the network traffic and attempt to find sensitive data, even change data.
Once the attackers get access to the system, they can begin searching it for information that will help them achieve their goals.
Social Engineering
A system can only be as strong as its weakest component, which is frequently a person. Targeting users with attacks in an attempt to trick them into doing something they did not mean to do is known as social engineering. Social engineering tactics are highly popular, and they have been used in many of the world’s largest hacks.
In order to coerce victims into acting, social engineering frequently seeks to take advantage of specific characteristics, such as:
- Most people have the desire to be polite, especially to strangers
- Professionals want to appear well-informed and intelligent
- If you are praised, you will often talk more and divulge more
- Most people would not lie for the sake of lying
- Most people respond kindly to people who appear concerned about them
When someone is the victim of a successful social engineering attack, they frequently are completely unaware that they have been attacked.
Social Engineering Scenario: Being Helpful
Most people desire to be helpful to one another. We enjoy acting kindly!
Imagine that Eve arrives at a large corporate office’s reception area with her papers drenched in coffee. The receptionist notices Eve is obviously upset and asks what’s going on. Eve adds that she urgently needs to print off her paperwork for the job interview, which is in five minutes.
Eve has already produced a malicious USB drive that contains documents intended to compromise any machine that it is inserted into. She smiles as she asks the receptionist to print the documents for her and gives her the malicious USB drive. This could be the amount of work required for attackers to compromise (pivot) multiple systems by infecting one on the internal network.
Social Engineering Scenario: Using fear
Fear of failing or not following instructions is a common fear. Fear is a common tool used by attackers to try and force victims to comply with their demands. For instance, they could try posing as the director of the company and requesting information. Maybe the attack was staged since a social media post stated that the director is on vacation.
Since the director is on vacation, it may be more difficult to confirm the facts, and the victim most likely does not want to confront the director.
Social Engineering Scenario: Playing on Reciprocation
Reciprocation is doing something in return, like a response to someone showing you kindness.
If we consider someone holding the door for you to let you in the front-door of your office building. Because of this, you are likely to want to hold the next door for the person to reciprocate. This door might be behind access-control, needing employees to present their badges, but to offer the same kindness in return, the door is held open. This is called tailgating.
Social Engineering Scenario: Exploiting Curiosity
People are naturally intrigued. If you discovered a USB stick outside the office building on the ground, how would you respond? Connect it? What if a document named “Salary Information – Current Updates” was on the USB stick?
It would be possible for an attacker to place numerous infected USB sticks in the employee living area with the intention of someone plugging them in.
Documents may merely deceive users into taking activities that compromise them, or they may contain dangerous macros or exploits.
Phishing
Phishing is a tactic that is typically used via email. Employees may be tricked or coerced into disclosing important information, including login credentials, or they may be forced to install malicious software that grants attackers access to the system.
Penetration testers may attempt to exploit phishing, a popular method used by attackers to gain access. The human element in cyber security should never be undervalued. Phishing will always be a viable method for attackers to access systems as long as people are involved.
Instead of using phishing to demonstrate that people make mistakes, try to demonstrate the effects of those mistakes. It can also be used to gauge user awareness and the effectiveness of anti-spam filters.
Several phishing attempts might be made in a campaign as opposed to just one round. A series of phishing rounds can be used to gauge the organization’s general awareness and inform them that not only are attackers attempting to deceive our users, but also our security staff.
Vishing
Vishing is the practice of using phone calls to try and coerce employees into doing tasks for the attackers. An employee may be deceived into performing unpleasant behaviors if they think they are on the phone with a familiar person, ideally someone in a position of authority.
An instance where Eve calls Alice is as follows:
Eve: Hello, this is Miss Eve calling. I was told to call you personally by the CEO Margarethe; she said you would be able to help.
Alice: Ok... What can I do for you?
Eve: Margarethe is travelling right now, but urgently requests her password to be reset so we can get on with a business meeting happening the moment she lands.
Eve: We urgently request for her email password to be reset so she can deliver the meeting.
Eve: Can you proceed to reset her password to Margareth123?
Alice: I am not sure...
Eve: Please, Margarethe asked for you personally to comply with this request. It must be done now, I don't want to think of the consequences if not...
Alice: Ok. Password is reset
Vishing may attempt to coerce victims from disclosing private information. An attacker might be requesting a copy of a spreadsheet or other private document.
