Should social engineering be part of a Penetration Test?

In one word – never.

A penetration test is designed to test technology, rectify problems and issues with that technology as well as make sure that the technology is installed and configured correctly.

Social engineering has 2 components – the technology (malware, ransomware, worm) to compromise your system and getting someone inside the organisation to open an attachement, download an application or go to an infected website. The easiest part of social engineering is getting someone inside your organisation to do something stupid.

Social engineering should only be included if the organisation has carried out a significant education program and to test that that education has actually worked.

Posted in FAQ and tagged , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *