Social engineering in penetration tests: 6 tips for ethical (and legal) use

Social engineering techniques are frequently part of an overall security penetration test; often used as a way to test an organization's so-called "human network."

But in a pen tester's zeal to uncover the vulnerabilities among employees, some may employ strategies that could be considered unethical. And there are some social engineering moves that you simply can't use at all if you want to stay within the lines of the law.

Here are six things to keep in mind to ensure your team is using the most ethical and legal approach to testing human security holes.

Know the local laws

"In many states, one-party consent for recording of audio or video is illegal," said Chris Hadnagy, veteran pen tester, social engineering expert and author of Social engineering: The art of human hacking. "A pen tester that does this without the proper contract in place can be breaking these laws."

[Social engineering: The basics]

Other things against the law that some pen testers might try: Threatening to harm someone, obtaining federal documents, social security numbers or other private information from unsuspecting targets. Also, impersonation of law enforcement is illegal. And impersonating a person within the organization you are pen testing can only be done with consent in order for it to be legal, said Ed Skoudis, SANS Instructor and NetWars CyberCity Director.

"We find that it is better to impersonate a fictional employee rather than an actual one, as that lowers the chance of tarnishing someone's reputation," he said.

Laws can vary from state to state and from country to country, so it's crucial to double check your plan against local laws first before proceeding.

"A good friend of mine, who is a social engineering pen tester in the UK, tells me that in the UK you can open a drawer during a pen test but you cannot look through it," noted Hadnagy. "If you see a password sticky note on top in the drawer, you can't use it, not even report on it. Understanding the laws for the area you are in can save you from hurting yourself and the company."

Remember "do no harm"

"Ethical concerns are a front and center of both social engineering and physical security testing," said HD Moore, chief research officer with Rapid7, and the founder and chief architect of the company's penetration testing solution, Metasploit. "Playing 'bad guy" can be as difficult for the consultant as it is for the employees of the client."

A certain amount of fudging the truth may be necessary to execute your pen test. But the key thing to remember is "do no harm," said Moore. (Related slideshow: 9 classic hacking, phishing and social engineering lies)

"A lie about leaving your keys on your desk may be appropriate, but making up a story about a traumatic accident is likely to cause grief and long-term mistrust when it turns out to be false."

[A pen test walkthrough: How to rob a bank]

Moore said similar guidelines apply to physical security testing.

"You never want to put your employees, the client, or their security personnel into a situation where they feel like they are in harm's way. It is quite easy for people to overreact. I have heard stories of a client tackling a security tester because they followed someone through a security door."

Emulate "real world" exploits -- not movie scenes

Moore also thinks social engineering tests should reflect real-world attacks against the organization, not over-the-top situations that are unlikely in a day-to-day work environment.

"Sending a suspicious email or making a phone call for a password reset is something that employees should be able to defend against," he said. "By contrast, repelling through a sky light or bugging someone's office is not a normal risk for most companies, and would cross the line if attempted."

Get sign off and a clear contract

Each part of your penetration test needs sign off first by management in the organization before you proceed. You need a clearly defined contract of what is, and what is not, allowed to protect yourself, said Hadnagy.

"You want to access the dumpsters? Make sure it is in the contract. You want to have the ability to walk out of the building with a computer under arm? Get that in the contract. What if the computer you walk out with contains personal details for all employees or financial data?"

"The social engineering process should work from a plan that has been approved by both the security manager and a representative from the human resources department," adds Moore.

Make sure the appropriate people are aware before you begin

You've got permission to do what you need to do by getting it in writing, but don't just set off on your test without warning the appropriate people first -- or you could find yourself in an awkward situation. In this tale from Moore, jobs were lost because proper notification was not given in advance of the test.

"In a late-night physical penetration test of a bank branch, a consultant triggered the building alarm and was waiting for the police to show up. Fortunately, the cleaning crew arrived in the nick of time and helped disable the alarm and let them into the secured area. The police still showed up and there was an awkward conversation that resulted in the president of the bank being called. The consultant was cleared, but the cleaning crew was fired on the spot by the bank president. By the time the situation was resolved the next morning, the damage had already been done. In this case, the president should have been made aware that a test was taking place that evening."

Separate to avoid outside damage

As Skoudis explains here, a spear-phishing pen test be separated into two phases to avoid possibly attacking an unintended target outside of the organization:

"The first part is sending the e-mail itself, trying to get a click on a link or the opening of an attachment. We recommend that penetration testers compose their e-mail with links and/or attachments, BUT DO NOT TRY TO EXPLOIT THE TARGET via that e-mail. Instead, the pen tester sets up a web site, so he or she can merely count the number of clicked links or open attachments that he or she gets from the e-mail, as well as the source machine of the clicks.

Then, as a separate phase of the project, the pen tester works with a collaborator on the inside, using a typically configured laptop or desktop computer, to try the exploitation itself, perhaps gaining access and then pivoting through the target infrastructure. So, the tester would agree with an inside collaborator that on a given date and time, the pen tester will provide a series of URLs and/or attachments for the collaborator to explicitly click on and open. There is no trickery involved in this phase. But, we can then infer from what we are able to exploit on that typical client machine the impact we would have likely gotten from any of the clicks in phase one.

You see, we've separated the phishing e-mail (where all that really matters is whether you get a click or not) from the exploitation step. This is a whole lot safer. You see, if you bundle the two together, and exploit a machine that received the e-mail, you may end up attacking someone outside of scope. An email recipient may forward your e-mail to someone inside the company (or even outside the company). If you attack that person, you've exceeded your scope and can get in big trouble. That's why we separate the two aspects."