During a penetration test on the physical security of an organization, if social engineering is used, the penetration tester directly interacts with the employees.
These interactions are usually based on deception and if not
done properly can upset the employees, violate their privacy
or damage their trust towards the organization, leading to
law suits and loss of productivity of the organization. This
paper proposes two methodologies for performing a physical
penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies are validated by a set of penetration tests we did in a period of two years.
|Name||CTIT Technical Report Series|
|Publisher||Centre for Telematics and Information Technology, University of Twente|
- physical security
- Penetration Testing
- Research ethics
- Social Engineering