I'm no expert, but I think you should start with some SE goals or targets, and list techniques that are used to attack them. Goals and techniques might be: 1. Gain physical access tester->guard: "I forgot my card today" guard->tester: card 2. Gain credentials remotely tester->helpdesk: "This is Joe Blow CEO, I forgot my password" helpdesk->tester: new password 3. Gain access to sensitive information such as source code, sales/customer history, pricing structure, salary info. tester->engineer: "I'm with the new enterprise QA team and we're doing a source audit" engineer->tester: source code tester->helpdesk: "I'm salesperson X and I can't get into the contact database" helpdesk->tester: contact database access These might be combined. For example, you may first gain physical access, sit down in a conference room, get DHCP, call helpdesk (check the intranet site for the number, find a likely name off the phone list (also on intranet)), gain credentials, access sales database, select * from *, call engineer, get source copied to intranet share, download, burn CD, deliver to client, have a nice day, etc. I'm not saying the specific examples I gave will work. I'm saying SE is like any other testing, you need to have testing targets. In the case of SE and other security audits, the testing target is usually the failure of some security control. In the specific case of SE, the target is usually the human side of security controls. Guards shouldn't award cards to strangers who have lost them, or even let them into the building "just for today". Helpdesk should verify identity, perhaps by calling back to a known number. Engineers should not copy "the source for the latest build" anywhere. One target that interests me (because I know so little about it) is gaining access to the phone system. In particular, you want to at least take over someone's voicemail. Ideally, you can get that conference room phone mapped to a person's phone number, so when you call helpdesk the caller ID says "Joe Blow", and when they call back it's your phone that rings, not Joe's. This can be a huge supporting factor for your S.E. The only way I can think of to do this via SE is to call the phone helpdesk and tell them you've moved cubes, and give them the wall jack number, and hope for the best. On the other hand, if you know enough about different phone systems, it seems that you can program many corporate phones if you punch in the right numbers. Anyone have good resources on that topic? Those people who imply that it is an art form that cannot be taught are partially right - it's hard to write the methodology for "how not to come off sounding like a nervous liar on the phone", at least not without resorting to some level of psychobabble. What we can document is common or typical targets, and common techniques that people with the appropriate skills (real salespeople would probably be great at this) use to attack those targets. As I said at the beginning, I am not an expert (I've only read about SE), but I do think a methodology can be developed at the testing/target level. Phil ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Mar 09 2002 - 09:49:59 PST