Computer Sciences and Information Technology
“Don’t Include Social Engineering in Penetration Tests,” Article
After reading the article “Don’t Include Social Engineering in Penetration Tests,” discuss whether social engineering should be included as part of a penetration test. Knowing that the human is the weakest link in the cybersecurity chain, is it ethical as part of the pen test to engage in behavior that the author describes as a “grey area: compromising staff members’ personal devices or personal email accounts (as opposed to work accounts); breaking into office buildings to steal equipment or plant network monitoring devices; compromising social media accounts to perform recon; etc.”? (Kaplan-Moss, 2017)
Review several of your fellow learners’ posts and respond to at least two of your peers by end of Day 7 of the week. In your response to your classmates’ posts:
Do you agree with your fellow learners’ assessments of social engineering as part of penetration testing?
Try to expand on your rationale by asking your classmates questions and provide additional resources and evidence to support your claims and to extend their thoughts on their point of view.
References
Kaplan-Moss, J. (2017, June 27). Don’t include social engineering in penetration tests [Blog post]. Retrieved from https://jacobian.org/2017/jun/27/social-engineering-pentests/
Article Review
The utilization of social engineering in penetration tests is mainly to uncover the security weaknesses within its vulnerabilities. However, the activity is risky, considering its borderline conduct during the processes. On reading the Article by Kaplan-Moss (2017), I agree that social engineering should not be part of the penetration tests due to its inability to produce invalid results. Human beings are the weakest links in cybersecurity systems since a simple wrong move in their interactions with the systems could compromise the corporation’s information. Social engineering will have its partakers even engage in unethical conduct that could position an individual at a compromise point.
The process mainly entails having a person disguised as an authorized individual asking an employee to use their credentials to access sensitive information (Murashka, 2018). An unknowing employee could easily believe such an individual, especially if they provide the right information and have the individual access the information in an instant. By the time the individual understands that he was tricked into the activity, the damage has already been done. This would determine how one’s employees are ready in the face of system risks and vulnerabilities (Brecht, 2016). However, it is unethical to trick, con, steal information, or use other information to access sensitive information. It is prudent that cybersecurity systems are monitored in legal ways at all points such that the final reports gained were developed from a legal and true point. According to Kaplan-Moss (2017), social engineering is a risky process that will not bring useful outcomes. Therefore, it is prudent that other options are considered, such as simulation, and focus on the systems’ remediation process.
References
Brecht, D. (2016). Google Docs – Create and edit documents online for free. Retrieved from https://docs.google.com/document/d/1zAPy5ZcXbrZlG9fqRHBACAJqO1OLaMjF3K3xDUyiDoo/edit
Kaplan-Moss, J. (2017). Don’t include social engineering in penetration tests. Retrieved from https://jacobian.org/2017/jun/27/social-engineering-pentests/
Murashka, U. (2018, January 25). Social engineering penetration testing: An overview. Retrieved from https://www.scmagazine.com/home/opinion/executive-insight/social-engineering-penetration-testing-an-overview/
