Why we need a tighter framework for social engineering penetration testing
Why we need a tighter framework for social engineering penetration testing

"Wendy Nather, research director of the enterprise security practice at 451 Research, has described the "chemistry of data", where seemingly inert elements, such as out of date email addresses, status updates on social media and old membership lists, can be combined with other information to create an explosive mix that has the potential blow the doors off your security strategy.

The old saying, 'loose lips sink ships' still holds true. Employees who are sociable, altruistic and great team players, are ideal targets for social engineers. Their natural inclination to help people makes them more likely to offer up seemingly innocuous information. However, high profile attacks on Microsoft X-Box, RSA and CloudFlare demonstrate how criminals piece these snippets together to perpetrate more serious social engineering attacks.

The typical security response is to undertake a penetration test to see which employees are susceptible to social engineering and then to provide training designed to help employees to spot an attack and arm them with the skills to respond appropriately. However, in our experience, too many social engineering assessments consist of little more than pen testers' attempts to 'blag' their way past the reception holding a coffee cup, or wearing a high-visibility vest. This means that training will only help employees to detect the most well-worn social engineering techniques.

Though effective in certain cases, we cannot base an entire social engineering assessment on these techniques. There has to be more detail to the framework that addresses social engineering risks that a particular organisation is likely to face.

The two most critical components of a social engineering assessment are:

 Threat Modelling:

It is vital that the social engineering penetration tester engages with the client, prior to the assessment, to identify what the 'actual' risks to the business are. In too many cases the client will request that the tester gains access to the server room as the primary objective for the assessment. Is this realistic? If a real attacker wanted to breach the corporate network, it would be far less risky to use telephone calls to piece together the information required to enable a spear phishing attack.

If a criminal did manage to physically breach your building's security, then installing a remotely accessible device, such as a 3G dropbox or a KVM box in a free network port would yield just as much information, over a longer period, with less risk of the perpetrator being caught red handed.

Assess what are the most likely social engineering risks to your most critical assets, then identify how to mitigate those risks.

​• Pretext Design Mapping:

It is possible to map out social engineering attacks, starting with the asset involved, who would be targeted, which vulnerabilities might be exploited, what techniques could be used and what level of risk is associated with each exploit.

By mapping out scenarios, the social engineering pen tester can provide a list of potential vulnerabilities that can be tested for during the assessment.

The client can then make a decision to either play out multiple scenarios to assess as many different aspects of the business as possible, or focus on a relevant area of high risk and play out multiple scenarios designed to achieve the same objective.

This approach provides client and pen tester with a clear framework of specific vulnerabilities that they are trying to identify within procedures, policies, processes, awareness training, public information or physical controls.

Once the pretexts have been played out and vulnerabilities identified, a remediation plan can be devised.


Social engineering assessments have huge potential to help organisations to provide better protection for their data, provided that clear, relevant models are followed. Assessment scenarios should be designed to identify multiple vulnerabilities in relevant aspects of the business and its partner organisations, not just your employees.

It is important not to accept an assessment based solely on tailgating into the building and photographing access to a server cabinet, if the attackers' route of least resistance is telephoning your colleagues and exploiting weak procedures and policies.

Using comprehensive, relevant assessment frameworks is key to tackling the social engineering threat. By focusing on the business as a whole, social engineering threat modelling can be tangibly improved and better decisions can be made to reduce the threat to your most valuable digital assets.

Contributed by Gavin Watson, Senior Security Engineer and head of the Social Engineering Team at security and compliance company, RandomStorm (www.randomstorm.com).  

Watson recently co-authored Social Engineering Penetration Testing, with Andrew Mason and Richard Ackroyd.