Sharon Conheady - Social Engineering for Penetration Testers

In recent years, people have become more familiar with the term "social engineering", the use of deception or impersonation to gain unauthorised access to resources from computer networks to buildings. Does this mean that there are fewer successful social engineering attacks? Probably not.

In fact, because computer security is becoming more sophisticated and more difficult to break (although this is still very possible) more and more people are resorting to social engineering techniques as a means of gaining access to an organisations' resources. Logical security is at a much greater risk of being compromised if physical security is weak and security awareness is low. Performing a social engineering test on an organisation gives a good indication of the effectiveness of current physical security controls and the staff's level of security awareness. But once you have decided to perform a social engineering test, where do you start? How do you actually conduct a social engineering test?

There are many different types of social engineer attacks, from mumble attacks (pretending to be speech impaired on the telephone) to ten attacks (using an attractive person to distract security) to reverse engineering (helping the target individual with a technical problem and then proceeding to elicit information from them). In my career, I mostly use social engineering for intrusion, gaining access to an organisations building. Therefore, although I will describe a selection of attacks, my talk will focus on gaining entry to buildings. However, gaining entry to buildings more often than not involves identifying and communicating with a target individual or individuals by telephone / email / fax / etc., so I will touch briefly on these areas also.


After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She did this with no more than an abacus, a ball point pen and a large pad of paper. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel.

Not really. Sharon is a social engineer / penetration tester, currently working for the Attack & Penetration team at Ernst & Young in London. She holds a degree in Computer Science from Trinity College Dublin and a masters in Information Security from Westminster University London.