Posted: August 28th, 2022

“Don’t Include Social Engineering in Penetration Tests,”

Computer Sciences and Information Technology
“Don’t Include Social Engineering in Penetration Tests,” Article
After reading the article “Don’t Include Social Engineering in Penetration Tests,” discuss whether social engineering should be included as part of a penetration test. Knowing that the human is the weakest link in the cybersecurity chain, is it ethical as part of the pen test to engage in behavior that the author describes as a “grey area: compromising staff members’ personal devices or personal email accounts (as opposed to work accounts); breaking into office buildings to steal equipment or plant network monitoring devices; compromising social media accounts to perform recon; etc.”? (Kaplan-Moss, 2017)

Review several of your fellow learners’ posts and respond to at least two of your peers by end of Day 7 of the week. In your response to your classmates’ posts:

Do you agree with your fellow learners’ assessments of social engineering as part of penetration testing?
Try to expand on your rationale by asking your classmates questions and provide additional resources and evidence to support your claims and to extend their thoughts on their point of view.
References

Kaplan-Moss, J. (2017, June 27). Don’t include social engineering in penetration tests [Blog post]. Retrieved from https://jacobian.org/2017/jun/27/social-engineering-pentests/
—>
From reading the article “Don’t Include Social Engineering in Penetration Tests” by Jacob Kaplan-Moss, it is clear that social engineering should not be included as part of a penetration test. Kaplan-Moss argues that social engineering tactics, such as compromising staff members’ personal devices or personal email accounts, breaking into office buildings, and compromising social media accounts, are a “grey area” and can be considered unethical.
Furthermore, Kaplan-Moss states that these tactics can also harm the reputation of the company conducting the penetration test and can lead to legal issues. Additionally, the article highlights that social engineering is a separate field from penetration testing and should be treated as such.
I agree with Kaplan-Moss’s assessment that social engineering should not be included as part of a penetration test. The human factor is a crucial aspect of cybersecurity, and it is essential to consider the potential consequences of social engineering tactics on both the company and the individuals involved. Additionally, it is essential to consider the legal and ethical implications of these tactics and ensure that they align with industry standards and regulations.
To expand on this point, one could ask questions such as: What are the alternatives to using social engineering tactics in a penetration test? How can companies test their employees’ susceptibility to social engineering without compromising their personal information? Additionally, one could provide resources such as the “Code of Ethics” from the International Association of Penetration Testers (IAPP) which states that penetration testers should respect the privacy and legal rights of individuals and organizations.
Social engineering should not be included as part of a penetration test due to its unethical nature and potential legal and reputational consequences. It is essential for companies to consider the human factor in cybersecurity and to adhere to industry standards and regulations.
—>

Article Review
The utilization of social engineering in penetration tests is mainly to uncover the security weaknesses within its vulnerabilities. However, the activity is risky, considering its borderline conduct during the processes. On reading the Article by Kaplan-Moss (2017), I agree that social engineering should not be part of the penetration tests due to its inability to produce invalid results. Human beings are the weakest links in cybersecurity systems since a simple wrong move in their interactions with the systems could compromise the corporation’s information. Social engineering will have its partakers even engage in unethical conduct that could position an individual at a compromise point.
The process mainly entails having a person disguised as an authorized individual asking an employee to use their credentials to access sensitive information (Murashka, 2018). An unknowing employee could easily believe such an individual, especially if they provide the right information and have the individual access the information in an instant. By the time the individual understands that he was tricked into the activity, the damage has already been done. This would determine how one’s employees are ready in the face of system risks and vulnerabilities (Brecht, 2016). However, it is unethical to trick, con, steal information, or use other information to access sensitive information. It is prudent that cybersecurity systems are monitored in legal ways at all points such that the final reports gained were developed from a legal and true point. According to Kaplan-Moss (2017), social engineering is a risky process that will not bring useful outcomes. Therefore, it is prudent that other options are considered, such as simulation, and focus on the systems’ remediation process.

References
Brecht, D. (2016). Google Docs – Create and edit documents online for free. Retrieved from https://docs.google.com/document/d/1zAPy5ZcXbrZlG9fqRHBACAJqO1OLaMjF3K3xDUyiDoo/edit
Kaplan-Moss, J. (2017). Don’t include social engineering in penetration tests. Retrieved from https://jacobian.org/2017/jun/27/social-engineering-pentests/
Murashka, U. (2018, January 25). Social engineering penetration testing: An overview. Retrieved from https://www.scmagazine.com/home/opinion/executive-insight/social-engineering-penetration-testing-an-overview/

Order | Check Discount

Tags: "Don't Include Social Engineering in Penetration Tests