From my perspective though, the best Social Engineering undertakings are targeted in ways that are like one-time-use-zero-day exploits. Or, in other words, the merit of SE is breaking in once, not leaving an open door behind as a repeat attack vector (that's the goal once through the barrier).
Perhaps. There's also the depressing reality that you can't actually stop social engineering conclusively. A sysadmin is always going to need to have a login with administrative privileges, and they're always going to be fallible.
Not entirely true, I work at a bank and many of the most critical core banking systems don't have an admin account at all. Yes there are accounts that perform critical system functions, but they dont have passwords and can't be logged on to interactively.
We make changes to those systems by setting up very intricate situations where the changes are all in the right place at the right time and a bunch of approvals sytems have basically got flags indicarinf changes can be made. Then the changes get included as part of the systems normal operations, as in once it gets a bunch of signals for vaious places it pulls in whatever is in a specific clearcase stream.
Obviously the above description is a huge over simplification, but the only way to social engineer that is if you can convince multiple system managers to approve a change which has already been promoted by tech leads in various departments.
Admittedly it makes "hot"fixes a god damn nightmare because 'oh shit, no one noticed a spelling error in the legal disclaimer sent to business customers? Lets get all 150 technical sign offs again... And get me the number of that lawyer who said that we had to include that!'
True. This thread has me thinking about how a controlled social engineering hacking event might play out just for the sake of education and awareness. (especially since one of my clients got hit badly with a phishing attack recently...less than a single percentage 'success' rate by the attacker but still cost them almost $100K).
Disclaimer: My employer has used this, but I was uninvolved with the choice and have no stake in knowbe4. Just using it as an example I have to hand. I believe there are quite a few choices.
