Sharon Conheady

Temat: Social engineering for penetration testers

After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She did this with no more than an abacus, a ball point pen and a large pad of paper. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

Not really. Sharon is a social engineer / penetration tester based in London. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University London. Sharon has previously presented at Recon 2006 and 2008, Deepsec, IT Security Congress, Infosek, ISSE/Secure 2007 and SANS Secure Europe.

In recent years, people have become more familiar with the term “social engineering”, the use of deception or impersonation to gain unauthorised access to resources from computer networks to buildings. Does this mean that there are fewer successful social engineering attacks? Certainly not.

In fact, because computer security is becoming more sophisticated and more difficult to break (although this is still very possible) more people are resorting to social engineering techniques as a means of gaining access to an organisation’s resources. Logical security is at a much greater risk of being compromised if physical security is weak and security awareness is low. Performing a social engineering test on an organisation gives a good indication of the effectiveness of current physical security controls and the staff’s level of security awareness. But once you have decided to perform a social engineering test, where do you start? How do you actually conduct a social engineering test?

During my talk, I will discuss the practical aspects of a social engineering attack, providing plenty of war stories from my career as a social engineer, including:

  • Reconnaissance: where to look for information about your target and what kind of information is useful for attacks
  • Attack sophistication: how sophisticated your attack needs to be for your target; choosing the path of least resistance
  • Choosing individuals to target within your chosen organisation
  • Techniques for gaining entry to buildings (and how to get out again)
  • What to do once you have gained access to the building (from the perspective of a penetration tester)
  • Pitfalls to avoid / what can go wrong

The key to preventing social engineering attacks from being successful lies in education and awareness. This talk will give the audience an insight into the techniques used by social engineers, whether as part of an ethical social engineering test or as a malicious social engineering attack.