Social Engineering For Penetration Testers presented at BruCON 2009

by Sharon Conheady (First Defence Information Security),

Tags: Social Engineering


Summary : In recent years, people have become more familiar with the term "social engineering", the use of deception or impersonation to gain unauthorised access to sensitive information or facilities.

Does this mean that there are fewer successful social engineering attacks?Unfortunately not.

In fact, because computer security is becoming more sophisticated and more difficult to break (although this is still very possible) more people are resorting to social engineering techniques as a means of gaining access to an organisation's resources. Logical security is at a much greater risk of being compromised if physical security is weak and security awareness is low. Performing a social engineering test on an organisation gives a good indication of the effectiveness of current physical security controls and the staff's level of security awareness. But once you have decided to perform a social engineering test, where do you start? How do you actually conduct a social engineering test?

During my talk, I will discuss the practical aspects of a social engineering attack, providing plenty of war stories from my career as a social engineer. The key to preventing social engineering attacks from being successful lies in education and awareness. This talk will give the audience an insight into the techniques used by social engineers, whether as part of an ethical social engineering test or as a malicious social engineering attack.

Sharon Conheady: Sharon Conheady is a social engineer/penetration tester at First Defence Information Security in the UK. She has social engineered her way into dozens of organisations across the UK and abroad, including company offices, sports stadiums, government facilities and more. She has presented on social engineering at security conferences including Deepsec, Recon, CONFidence, ISSE, ISF, SANS Secure Europe and more. After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel. If you see Sharon around your office, she kindly requests that you open the door to let her in.