Rummaging around for information on a company, such as lists of all personnel, job titles & their email addresses, can usually be found on the company’s website or in discarded paperwork that’s not shredded. This can all add up to an advantage for the bad guy.
Kiwis love using EFTPOS – who carries cash these days? Yet the majority of people don’t cover or try to hide their PIN entry. Yes, EFTPOS uses multi-factor authentication to make it tougher to crack but it’s not impossible. Why provide the temptation? The various authentication technologies fall into three categories: something you know (e.g. PIN), something you have (e.g. bank card) and something you are (e.g. retina scan, fingerprint). Multi-factor authentication uses more than one of these technologies.
In addition, it’s surprisingly easy to gain access to a building by tailgating someone who has legitimate access. People will tend to hold the door open, especially if you look innocent and trustworthy or if you have your hands full. Rarely is someone challenged or asked for proof of identity especially if they look like they belong. This may be particularly lucrative during lunchtime when many employees are out to lunch and have left their workstations unlocked. It’s like manna falling from heaven for someone who’s looking to make trouble and gain access to confidential information and/or secure systems.
I think security testing should not only focus on trying to overflow buffers, SQL injections, cracking passwords & testing password-encryption strengths, denial of service, or hacking into the system under test, but should also consider how the system can be compromised by information gained through social engineering. Don’t you agree? In my mind, it’s equally as important to investigate what potential damage could be caused and then what measures can be taken to minimise the impact.