Two methodologies for physical penetration testing using social engineering

T. Dimkov, A. van Cleeff, Wolter Pieters, Pieter H. Hartel

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    23 Citations (Scopus)
    472 Downloads (Pure)

    Abstract

    Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years
    Original languageUndefined
    Title of host publicationProceedings of the Annual Computer Security Applications Conference (ACSAC)
    Place of PublicationNew York
    PublisherAssociation for Computing Machinery (ACM)
    Pages399-408
    Number of pages10
    ISBN (Print)978-1-4503-0133-6
    DOIs
    Publication statusPublished - Dec 2010
    Event26th Annual Computer Security Applications Conference, ACSAC '10 - Four Seasons Hotel, Austin, United States
    Duration: 6 Dec 201010 Dec 2010
    Conference number: 26
    https://www.acsac.org/2010/

    Publication series

    Name
    PublisherAmerican Chemical Society

    Conference

    Conference26th Annual Computer Security Applications Conference, ACSAC '10
    Abbreviated titleACSAC 2010
    CountryUnited States
    CityAustin
    Period6/12/1010/12/10
    Internet address

    Keywords

    • METIS-276132
    • IR-74290
    • Research ethics
    • Methodology
    • EWI-18719
    • Social Engineering
    • Penetration Testing
    • SCS-Cybersecurity
    • physical security

    Cite this

    Dimkov, T., van Cleeff, A., Pieters, W., & Hartel, P. H. (2010). Two methodologies for physical penetration testing using social engineering. In Proceedings of the Annual Computer Security Applications Conference (ACSAC) (pp. 399-408). New York: Association for Computing Machinery (ACM). https://doi.org/10.1145/1920261.1920319
    Dimkov, T. ; van Cleeff, A. ; Pieters, Wolter ; Hartel, Pieter H. / Two methodologies for physical penetration testing using social engineering. Proceedings of the Annual Computer Security Applications Conference (ACSAC). New York : Association for Computing Machinery (ACM), 2010. pp. 399-408
    @inproceedings{85c0fbd23c94477a9e6ee8e4a74b4086,
    title = "Two methodologies for physical penetration testing using social engineering",
    abstract = "Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years",
    keywords = "METIS-276132, IR-74290, Research ethics, Methodology, EWI-18719, Social Engineering, Penetration Testing, SCS-Cybersecurity, physical security",
    author = "T. Dimkov and {van Cleeff}, A. and Wolter Pieters and Hartel, {Pieter H.}",
    note = "10.1145/1920261.1920319",
    year = "2010",
    month = "12",
    doi = "10.1145/1920261.1920319",
    language = "Undefined",
    isbn = "978-1-4503-0133-6",
    publisher = "Association for Computing Machinery (ACM)",
    pages = "399--408",
    booktitle = "Proceedings of the Annual Computer Security Applications Conference (ACSAC)",
    address = "United States",

    }

    Dimkov, T, van Cleeff, A, Pieters, W & Hartel, PH 2010, Two methodologies for physical penetration testing using social engineering. in Proceedings of the Annual Computer Security Applications Conference (ACSAC). Association for Computing Machinery (ACM), New York, pp. 399-408, 26th Annual Computer Security Applications Conference, ACSAC '10, Austin, United States, 6/12/10. https://doi.org/10.1145/1920261.1920319

    Two methodologies for physical penetration testing using social engineering. / Dimkov, T.; van Cleeff, A.; Pieters, Wolter; Hartel, Pieter H.

    Proceedings of the Annual Computer Security Applications Conference (ACSAC). New York : Association for Computing Machinery (ACM), 2010. p. 399-408.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - Two methodologies for physical penetration testing using social engineering

    AU - Dimkov, T.

    AU - van Cleeff, A.

    AU - Pieters, Wolter

    AU - Hartel, Pieter H.

    N1 - 10.1145/1920261.1920319

    PY - 2010/12

    Y1 - 2010/12

    N2 - Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years

    AB - Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two years

    KW - METIS-276132

    KW - IR-74290

    KW - Research ethics

    KW - Methodology

    KW - EWI-18719

    KW - Social Engineering

    KW - Penetration Testing

    KW - SCS-Cybersecurity

    KW - physical security

    U2 - 10.1145/1920261.1920319

    DO - 10.1145/1920261.1920319

    M3 - Conference contribution

    SN - 978-1-4503-0133-6

    SP - 399

    EP - 408

    BT - Proceedings of the Annual Computer Security Applications Conference (ACSAC)

    PB - Association for Computing Machinery (ACM)

    CY - New York

    ER -

    Dimkov T, van Cleeff A, Pieters W, Hartel PH. Two methodologies for physical penetration testing using social engineering. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). New York: Association for Computing Machinery (ACM). 2010. p. 399-408 https://doi.org/10.1145/1920261.1920319