Video: Social engineering for penetration testers

In recent years, people have become more familiar with the term “social engineering”, the use of deception or impersonation to gain unauthorized access to sensitive information or facilities. Does this mean that there are fewer successful social engineering attacks? Unfortunately not.

In fact, because computer security is becoming more sophisticated and more difficult to break (although this is still very possible) more people are resorting to social engineering techniques as a means of gaining access to an organisation’s resources. Logical security is at a much greater risk of being compromised if physical security is weak and security awareness is low. Performing a social engineering test on an organization gives a good indication of the effectiveness of current physical security controls and the staff’s level of security awareness. But once you have decided to perform a social engineering test, where do you start? How do you actually conduct a social engineering test?

Sharon Conheady’s BruCON talk discusses the practical aspects of a social engineering attack, providing plenty of war stories from her career as a social engineer. The key to preventing social engineering attacks from being successful lies in education and awareness. This talk will give the audience an insight into the techniques used by social engineers, whether as part of an ethical social engineering test or as a malicious social engineering attack.