Network Risk Assessment: Penetration Testing and Social Engineering

Electronic information systems, now de rigueur for recordkeeping, hold company and customer data, a majority of which may be confidential. If ineffective network security controls are in place, however, an intruder can enter from the outside and steal the data to exploit. The result may be identity theft, leaked private company information (think of the WikiLeaks fiasco), lawsuits, or dissatisfied customers. In order to meet industry standards, keep company information confidential, and maintain a satisfied customer base, implement an effective network security plan involving regular risk assessments.

Although an electronic information system’s data is often thought of as solely technical, a network risk assessment considers all ways in which this information could be stolen, including through physical or social means. As a result, a network engineer performing a risk assessment uses a combination of penetration testing and social engineering techniques.

Penetration testing involves using ethical hacking techniques to break into a network and identify vulnerabilities, or weak points in which an outside party can enter. A four-phase process is used: planning, discovery, attacking, and reporting. The first two phases involve gathering all basic information for the network, including port and service identifications, host names, IP addresses, employee names and contact information, operating system information, and application and service information. To access the interior, the engineer may be granted employee-level access to the system. With all information gathered, the engineer does a vulnerability analysis, comparing the network data with a vulnerability database.

All vulnerabilities identified become targets for ethical hacking in the attack stage. When performing the test, the engineer determines if an attack was successful, the level of complexity needed to break in, and the measures necessary to reduce future attacks. Because vulnerabilities often come in groups, the engineer may go back and forth between the discovery and attack phases before producing a full report.

Data about employees and the system serves as reference for the social engineering part of network risk assessment. Often a phishing scheme, social engineering involves tricking network users to reveal passwords or usernames. Because employees should never blindly give away such information, the engineer poses as an outsider by attempting to obtain such information through online or telephone conversations, instant messages, or emails.

Email phishing schemes are some of the more common approaches for attackers to obtain network information. Typically, an email appearing to be authentic, such as from the company, a bank, or internet service provider, is sent out and requests username or password information. The email then takes the user to an unsecure website to obtain the information, which, aside from a username and password, may be account, credit card, or social security numbers. With this information, the intruder breaks into the network to steal data to possibly exploit.

Certain individuals, such as executives, may be more important than others on a network, and in social engineering, a network engineer may target such employees.