Social Engineering Penetration Testing

  • Thomas Arthur Talmadge UMUC
Keywords: Cybersecurity, Penetration Testing, Social Engineering, Modeling, White Box, Black Box.


Human cybersecurity failures continue to be the major cause of data breaches. Social engineering takes advantage of these human failures, however penetration testing strategies and methodologies have still not fully embraced socio-technical aspects of cybersecurity brought on by human failures. Each stakeholder in the networked digital world has different focused requirements that they design and test for, but the lowest level – the individual user or organization – requires a more holistic approach to penetration testing that embraces a multi-discipline approach with a social engineering focus. The focus of cybersecurity in an organization must be aligned with the threat. This paper discusses black and white box testing methodologies and discusses how these type differentiations work for individual stakeholders i.e. application designers, network engineers, hardware engineers, etc, but are not sufficient for overall organization level penetration testing, where the goal is avoiding a data breach. Further, the paper discusses efforts to model and standardize penetration testing and the effect on social engineering penetration testing. Uniquely, social engineering itself can be an attack vector, can enable technical attacks, and or can identify vulnerabilities to exploit. Time and again research shows that people are the biggest cybersecurity threat to an organization. Social engineering aspects need to be the primary focus of dynamic organizational penetration test strategies using standards and models to focus the social-technical penetration test efforts.