Social engineering techniques are frequently part of an overall security penetration test; often used as a way to test an organization's so-called "human network."
But in a pen tester's zeal to uncover the vulnerabilities among employees, some may employ strategies that could be considered unethical. And there are some social engineering moves that you simply can't use at all if you want to stay within the lines of the law.
Here are six things to keep in mind to ensure your team is using the most ethical and legal approach to testing human security holes.
Know the local laws
"In many states, one-party consent for recording of audio or video is illegal," said Chris Hadnagy, veteran pen tester, social engineering expert and author of Social engineering: The art of human hacking. "A pen tester that does this without the proper contract in place can be breaking these laws."
Other things against the law that some pen testers might try: Threatening to harm someone, obtaining federal documents, social security numbers or other private information from unsuspecting targets. Also, impersonation of law enforcement is illegal. And impersonating a person within the organization you are pen testing can only be done with consent in order for it to be legal, said Ed Skoudis, SANS Instructor and NetWars CyberCity Director.
"We find that it is better to impersonate a fictional employee rather than an actual one, as that lowers the chance of tarnishing someone's reputation," he said.
Laws can vary from state to state and from country to country, so it's crucial to double check your plan against local laws first before proceeding.
"A good friend of mine, who is a social engineering pen tester in the UK, tells me that in the UK you can open a drawer during a pen test but you cannot look through it," noted Hadnagy. "If you see a password sticky note on top in the drawer, you can't use it, not even report on it. Understanding the laws for the area you are in can save you from hurting yourself and the company."
Remember "do no harm"
"Ethical concerns are a front and center of both social engineering and physical security testing," said HD Moore, chief research officer with Rapid7, and the founder and chief architect of the company's penetration testing solution, Metasploit. "Playing 'bad guy" can be as difficult for the consultant as it is for the employees of the client."
A certain amount of fudging the truth may be necessary to execute your pen test. But the key thing to remember is "do no harm," said Moore.
"A lie about leaving your keys on your desk may be appropriate, but making up a story about a traumatic accident is likely to cause grief and long-term mistrust when it turns out to be false."
Sign up for Computerworld eNewsletters.