Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Testing the user community

from [Mister Coffee] Network Security [Permanent Link]
Subject: Re: Testing the user community
Date: Wed, 31 Jan 2007 14:42:48 -0800
webmaster@absolutenetworks.biz wrote:
We all know our weak link but how do you identify just how weak they are? I think it's time to pen test my user community and have a couple ideas to gather statistics on just how nonaware they really are. Maybe a simple phishing scam and bogus email with a fake virus attachment that emails me when it's opened so I can track how many folks actually opened it. Has anyone ever done this before? I can't find any information about it on the web.. thoughts and ideas anybody?

Many thanks

Kurt
I've seen a number of these done where the users are sent an email with some kind of hook and either a low impact (but real) trojan or a simple 'phone home' trojan as you suggest above. I suppose the deciding factors are how obvious a hook you want to use, how much your local legal department will buy into it, and what kind of trojan you'll need to attach to get through your local AV/Anti-spam filters.

Impersonating your local tech support department or a company exec will probably net you a very high percentage of users, but will risk seriously impacting the trust they have in those sources (a "real" bad guy won't care, but it's probably not worth risking the support department's reputation for the improved hit rate). Using some kind of well designed banking or on-line purchase hook can be very effective, but can also lead to people to panic and cancel credit cards or what have you. Very painful to explain to the user community when they find out it was a test. You could always try something topical, like an offer for free tickets to a local sports team, movie, whatever.

You can always try a cut-and-paste from a phishing/spam you find in the wild.

Finding a trojan to attach and get through your mail system is a separate exercise. I'd just make sure you have a green light from whatever management legal decides need to sign off.


Cheers,
L4J

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Testing the user community, Paul Melson
Next by Date:  Re: Testing the user community, Nicolás F. Iglesias
Previous by Thread:  RE: Testing the user community, Paul Melson
Next by Thread:  Re: Testing the user community, Thor (Hammer of God)
Indexes:  [Date] [Thread] [Top] [All Lists]