Social engineering in penetration tests: 6 tips for ethical (and legal) use

Social engineering techniques are often crucial to executing penetration tests. But which methods cross ethical and legal lines?

Social engineering techniques are frequently part of an overall security penetration test; often used as a way to test an organization's so-called "human network."

But in a pen tester's zeal to uncover the vulnerabilities among employees, some may employ strategies that could be considered unethical. And there are some social engineering moves that you simply can't use at all if you want to stay within the lines of the law.

Here are six things to keep in mind to ensure your team is using the most ethical and legal approach to testing human security holes.

Know the local laws

"In many states, one-party consent for recording of audio or video is illegal," said Chris Hadnagy, veteran pen tester, social engineering expert and author of Social engineering: The art of human hacking. "A pen tester that does this without the proper contract in place can be breaking these laws."

[Social engineering: The basics]

Other things against the law that some pen testers might try: Threatening to harm someone, obtaining federal documents, social security numbers or other private information from unsuspecting targets. Also, impersonation of law enforcement is illegal. And impersonating a person within the organization you are pen testing can only be done with consent in order for it to be legal, said Ed Skoudis, SANS Instructor and NetWars CyberCity Director.

"We find that it is better to impersonate a fictional employee rather than an actual one, as that lowers the chance of tarnishing someone's reputation," he said.

Laws can vary from state to state and from country to country, so it's crucial to double check your plan against local laws first before proceeding.

"A good friend of mine, who is a social engineering pen tester in the UK, tells me that in the UK you can open a drawer during a pen test but you cannot look through it," noted Hadnagy. "If you see a password sticky note on top in the drawer, you can't use it, not even report on it. Understanding the laws for the area you are in can save you from hurting yourself and the company."

Remember "do no harm"

"Ethical concerns are a front and center of both social engineering and physical security testing," said HD Moore, chief research officer with Rapid7, and the founder and chief architect of the company's penetration testing solution, Metasploit. "Playing 'bad guy" can be as difficult for the consultant as it is for the employees of the client."

A certain amount of fudging the truth may be necessary to execute your pen test. But the key thing to remember is "do no harm," said Moore. (Related slideshow: 9 classic hacking, phishing and social engineering lies)

"A lie about leaving your keys on your desk may be appropriate, but making up a story about a traumatic accident is likely to cause grief and long-term mistrust when it turns out to be false."

[A pen test walkthrough: How to rob a bank]

Moore said similar guidelines apply to physical security testing.

"You never want to put your employees, the client, or their security personnel into a situation where they feel like they are in harm's way. It is quite easy for people to overreact. I have heard stories of a client tackling a security tester because they followed someone through a security door."

Emulate "real world" exploits -- not movie scenes

Moore also thinks social engineering tests should reflect real-world attacks against the organization, not over-the-top situations that are unlikely in a day-to-day work environment.

"Sending a suspicious email or making a phone call for a password reset is something that employees should be able to defend against," he said. "By contrast, repelling through a sky light or bugging someone's office is not a normal risk for most companies, and would cross the line if attempted."

Get sign off and a clear contract

Each part of your penetration test needs sign off first by management in the organization before you proceed. You need a clearly defined contract of what is, and what is not, allowed to protect yourself, said Hadnagy.

"You want to access the dumpsters? Make sure it is in the contract. You want to have the ability to walk out of the building with a computer under arm? Get that in the contract. What if the computer you walk out with contains personal details for all employees or financial data?"

"The social engineering process should work from a plan that has been approved by both the security manager and a representative from the human resources department," adds Moore.

Make sure the appropriate people are aware before you begin

You've got permission to do what you need to do by getting it in writing, but don't just set off on your test without warning the appropriate people first -- or you could find yourself in an awkward situation. In this tale from Moore, jobs were lost because proper notification was not given in advance of the test.

"In a late-night physical penetration test of a bank branch, a consultant triggered the building alarm and was waiting for the police to show up. Fortunately, the cleaning crew arrived in the nick of time and helped disable the alarm and let them into the secured area. The police still showed up and there was an awkward conversation that resulted in the president of the bank being called. The consultant was cleared, but the cleaning crew was fired on the spot by the bank president. By the time the situation was resolved the next morning, the damage had already been done. In this case, the president should have been made aware that a test was taking place that evening."

Separate to avoid outside damage

As Skoudis explains here, a spear-phishing pen test be separated into two phases to avoid possibly attacking an unintended target outside of the organization:

"The first part is sending the e-mail itself, trying to get a click on a link or the opening of an attachment. We recommend that penetration testers compose their e-mail with links and/or attachments, BUT DO NOT TRY TO EXPLOIT THE TARGET via that e-mail. Instead, the pen tester sets up a web site, so he or she can merely count the number of clicked links or open attachments that he or she gets from the e-mail, as well as the source machine of the clicks.

Then, as a separate phase of the project, the pen tester works with a collaborator on the inside, using a typically configured laptop or desktop computer, to try the exploitation itself, perhaps gaining access and then pivoting through the target infrastructure. So, the tester would agree with an inside collaborator that on a given date and time, the pen tester will provide a series of URLs and/or attachments for the collaborator to explicitly click on and open. There is no trickery involved in this phase. But, we can then infer from what we are able to exploit on that typical client machine the impact we would have likely gotten from any of the clicks in phase one.

You see, we've separated the phishing e-mail (where all that really matters is whether you get a click or not) from the exploitation step. This is a whole lot safer. You see, if you bundle the two together, and exploit a machine that received the e-mail, you may end up attacking someone outside of scope. An email recipient may forward your e-mail to someone inside the company (or even outside the company). If you attack that person, you've exceeded your scope and can get in big trouble. That's why we separate the two aspects."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurity

More about Rapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place