One of my favorite questions to ask pen-testers or other security assessors is how often they are successful and what techniques are the most successful. I imagine social engineering and physical attacks have a very high rate of success; in fact, I wouldn’t bat an eyelash if pen-testers claim those are 100% successful when attempted. I’m sure there are many other ways they can own a network, but when they run into a tough cookie to break, I wouldn’t be surprised if those methods combined with some wire sniffing yields positive results almost all the time. This article I read this morning caught my imagination:

Core Security Technologies has never failed in its spear phishing tests
against large organizations, Caceres said, an indication of the task DOD
faces as it attempts to battle its latest network threat. The human
factor which requires e-mail users to carefully examine their messages,
plays a critical role in defeating spear phishing, Caceres said.

I think this is why discussion on user education is still rather mixed. Most everywhere I read that user education is necessary as we build security awareness and programs in organizations, with this as proof that we need more education. Others will claim that user education is not going to solve this, and we should focus more on technology and other aspects. They will also cite these results by saying that getting intelligent users who consistently make the correct decisions is a losing battle.

At any rate, I love hearing about success rates and common means of access into networks. Jeremiah Grossman has been doing a related survey for web application specialists for a few months now, and has been quite readily and hungrily accepted.

I wonder if there are similar surveys or data for pen-testers?

Update: Of interest, Dana Epp pointed me over to a presentation on combating social engineering.