---

This is EH-Net's first of hopefully many more webcasts. How many more we do depends greatly on the size of the audience we reach. So now is the time for you to help the entire EH-Net Comunity by spreading the word and getting as many as you can to attend. Many thanks in advance.


Two additional announcements:

- After the live event, come right back to this thread to talk to Chris and Mike.
- A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don't miss it!!


This one is sponsored by Core Security Technologies.

Permanent link: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

Let us know what topics you'd like for us to cover in the future,
Don

Cool, looking forward to it.

Just registered!  Met Chris a couple years back.  Very interesting person.

No sir. It's free... just like everything else on EH-Net. 

Welcome to the community,
Don

Thanks everyone for the compliments on and offline. There were many questions we just couldn't get to, even though we allowed about another 10 - 15 minutes of Q&A. Then again, that's why we have this thread. 

Here are a few more questions for the guys:

1. What are some ways that I can convince my boss that we should add SE into our normal pen tests both internally and externally?

2. How can I measure ROI for the SE portion of pen testing?

3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?

Don

DAMNIT.. I wrote a resp for about 20 min.. and the site timed me out F%$#^%#


ok..  Ill go backwards.

3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?

Its hard to show you everyhting without going over the whole class, but I can tell you some things. The outline is about 10 pages of bullets. Each section from intel collection to - gigging for information comes with training, examples, tools, practical exercise, and scnarios to make you put it all into play.

And what the hell..  don knows I am a liability... so heres a lil 0day.

(part of outline)


Determining Tests
•         Types of testing
o   Direction of attacks
o   External
  Electronic
•         Phishing
•         Client-side / browser side exploitation
•   Metasploit
•   Core
•   By hand

•         Malicious attachments
  Person to Person
•         Phone
•         Written
•         Social Networks/IM
•         Public Manipulation
o   Internal
  Person to Person
•         Gaining access to physical credentials
•         Solicitation
•         Direct interaction
•         Creating spies / information leak sources
o   Methods (al mamalik,qulaam, kgb,cia,others)
o   Trading information
•         Becoming an employee
  Electronic
•         CD/Key drops
•         Authentication bypass
•         Key /perimeter bypass
•         Falsification of credentials
•         RFID/ HID copying


 if u need more info... pm me..  =o)


Don
[/quote]

Question #1 is what I was wonder. A corollary to that is, how do I get him to pay for my training?

It is if you believe it to be. 

Here are some more questions for Chris & Mike that didn't get answered during the live event:

Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.

Q: It seems to me that there is not an orgnaization out there that would not fall for a client side attack.  There is always at least one person that will click on a malicious link.  Would a failure of such a test be the user clicking on a link, or lack of a safeguard such as A/V to prevent the malicious code from doing its thing?

To combine a bunch of questions... how does someone get into pen testing? What are your general thoughts on certs like CISSP? What foundational training would you recommend as a starting point?

Don