Of course, that said, if you're testing a company's security arrangements, it's often a good idea to probe that all-too-often weakest link. "Any idiot can call up an IT desk and get them to reset a password," laments Winkler. "Sadly, most of the time, it'll work."
And it's not always a lack of intelligence that proves to be the soft spot. Laziness, complacency, or disgruntlement may play a part, too. And of course, without training or testing, a social engineering attack may well be the furthest thing from an employee's mind. That's where you come in.
Do: Use the pretext that best suits the situation
To run a successful social engineering test, you need to perform a fast, on-the-fly analysis of the situation and respond accordingly.
The best and most experienced social engineers have a repertoire of well-rehearsed fictions from which to draw what they need when they need it. The ability to quickly identify a victim's personality type is also essential to choosing the best pretext for the job.
Over time, and with experience, accomplished social engineers can make such a determination within seconds. Sometimes, the situation may require you to make friends with and chat up an administrative assistant or receptionist. Other times, vinegar might get the job done better than honey: Winkler once managed to convince an IT worker to overnight him a laptop capable of connecting to a company's network simply by posing, over the telephone, as an angry executive on a business trip whose laptop had died.
In another example, Winkler explains, "I went into an organization and wanted to plant taps inside the network routers in this facility. I found this guy who had keys to the rooms," and pretended to be a corporate bigwig making an unannounced visit from the home office.
Winkler asked the IT guy for a tour, and as he showed Winkler each of the networking cabinets, Winkler managed to install the snooping hardware inside each. But then, suddenly, he thought he'd been made.
"This guy from security called, and asked the IT guy who I was," Winkler says. "He said I was this guy from corporate headquarters. The security guy comes over and asks, 'How come I wasn't informed that you were coming?' He didn't know me, didn't check that I was a real employee, and was more concerned with the internal politics of his company and those communication issues than the security issue of a random guy walking in off the street and getting a tour inside their facility."
Do: Anticipate how to react if caught, and prepare an exit strategy
If you test security defenses using social engineering long enough, without fail, you will at some point arouse suspicion and perhaps even get nabbed. To make sure you come away unscathed so that you can test again another day, consider in advance all the possible circumstances in which you might get caught and give thought to how you should respond.
The one universal is to never reveal your true motives or actions. For example, if you're pretending to be a contractor, you could feign ignorance of internal procedures, but you should do so without breaking character.
"If you've got to disengage [from a social engineering attempt] as someone would who is legitimate, you don't stop the act," Kaminsky says.
It's also essential to be aware of local laws so that you'll know what you're up against when performing a pretexting test. If you don't know the law, you could put yourself in a surprising degree of jeopardy. "In California, for example, you could be guilty of felony identity theft even if you have permission from the organization [to take credentials under false pretenses]," Winkler says.