Two methodologies for physical penetration testing using social engineering

T. Dimkov, A. van Cleeff, Wolter Pieters, Pieter H. Hartel

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    27 Citations (Scopus)
    662 Downloads (Pure)


    Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years
    Original languageUndefined
    Title of host publicationProceedings of the Annual Computer Security Applications Conference (ACSAC)
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Number of pages10
    ISBN (Print)978-1-4503-0133-6
    Publication statusPublished - Dec 2010
    Event26th Annual Computer Security Applications Conference, ACSAC 2010 - Four Seasons Hotel, Austin, United States
    Duration: 6 Dec 201010 Dec 2010
    Conference number: 26

    Publication series

    PublisherAmerican Chemical Society


    Conference26th Annual Computer Security Applications Conference, ACSAC 2010
    Abbreviated titleACSAC
    CountryUnited States
    Internet address


    • METIS-276132
    • IR-74290
    • Research ethics
    • Methodology
    • EWI-18719
    • Social Engineering
    • Penetration Testing
    • SCS-Cybersecurity
    • physical security

    Cite this