Hey guys, I was wondering about your thoughts on how necessary SE attacks are during a pentest.

Personally, I'd want a pentest done to show me threats/vulnerabilities that I don't know about.  I've read Kevin Mitnick's books and I know darn well SE attacks would work.  I'd rather the pentester give recommendations on how to mitigate it and focus their time on other areas.  What do you think?

...and then you get to hear the whole "well you were doing your test internally, so that means someone would have to come into my building and plug in, pfft, they can't do that" argument..

In my previous job, I worked for a company that provided pen testing, SE, risk assessment, audit, etc. services.  A SE test and an internal pen test were two very different products for us.  There were a couple of customers that felt they would get more out of a combination of the services and had us SE our way into a network connection before we could perform the pen test.  That was a very custom statement of work and I am sure they paid well for it though.

They are usually separated because most places want to either focus on fortifying their network based controls (pen test) or further developing their policies and procedures (SE).  It is very difficult to do both at the same time for a variety of reasons, especially if you don't have a large staff dedicated to information security.

If a TRUE penetration test is conducting, all aspects of security should be considered for scope.  SE should be part of the test regardless since it can be used as viable method into the system regardless if they tester comes through the front door posing as a fire marshal or if they send an email to a user posing as help desk.  SE should be on the table. 

My last job, they ran an internal and external test but they didn't want to use SE because they didn't want to alarm users.  Really???  Don't you want to know if your Security awareness is working??  I just shook my head.  The external network had a very limited attack surface.  Only VPN and a Citrix portal was available.  No OWA or any other web services were allowed in.  Mail was filtering through our spam/av hosts so those ports weren't open directly.  Granted if you compromised those anti-spam hosting provider you might be able to sneak in that way, but it is another hurdle for the attacker.

Needless to say, a well placed phishing email would most likely be the entry way in.  No one will come to the front door.  Even a phone call may work.  Well regardless they CIO thought it was a good idea to outsource everything, including security so not my problem anymore.  :-p 

But yes, SE should be done, if not during the main test, then at least a couple times a year to test your security awareness training. 

Today at BsidesDE we had a great panel discussion on why Info Sec sucks and if it was the fault of the users or us.  We agreed that it was a little of both.  And a point came up about testing the users to know if your message is really getting through.

Sorry for the long post.  been up for 16 hours so... yeah, I need sleep.