The Social Engineering Toolkit's evolution, goals

Dave Kennedy, creator of social-engineer.org's social engineering toolkit, gives an overview of how the program was created, and how it is always changing to keep pace with crime

By Joan Goodchild , Senior Editor

April 26, 2012 — CSO —

Social engineering expert, Dave Kennedy, a veteran penetration tester and contributor to social-engineer.com, saw a gap in the tools available for security when it came to evaluating an organizations preparedness for social engineering attacks.

Two years ago, he built the first social-engineering toolkit, a free download on educational resource social-engineer.org.

Kennedy, who is also CSO at security systems vendor Diebold, spoke with CSO about how the toolkit was created and how it can help companies improve their security.

[Check out Kennedy's advice for making the most out of the toolkit in 3 tips for using the Social Engineering Toolkit]

CSO: Tell us about the origins of the social engineering toolkit.
Kennedy: Before I joined Diebold, I was heavy on the exploitation and penetration side of the house. We would perform pen tests for other companies and customers to try and identify weaknesses.

When I joined Diebold, Chris (Hadnagy, founder of social-engineer.com) and I were close to the social engineering aspect of security. We were seeing a big shift in the industry and we felt social engineering was going to be the very next wave of attacks coming on. No one was doing it as part of their pen testing, no one was incorporating it into the services they do or looking at it from that perspective.

From that [observation], the toolkit was born. I spent about two months writing it, initially. And when it became available, it just blew up. People were downloading and using it immediately, so there is obviously a huge interest in it.

Learn more about social engineering tricks and tactics

Besides addressing a need, what was your initial goal in creating it?
Really what it is designed to do is test the effectiveness of your education and awareness program and test the controls you have on your associates and employees. It is designed to make sure you can withstand a social-engineering attack and to see how well you do in one.

The tool is for pen testers, security researchers, folks that want to test how effective their awareness program is working. It does a lot of things, like bypasses antivirus and bypass security technologies. It has a lot of cutting-edge attack vectors so you can simulate a real world attack using different attack vectors. You can do spear phishing, you can do website attacks where it makes a website look legitimate but has a bunch of bad stuff on it. It has a lot of different techniques and is basically an all-encompassing tool for leveraging social engineering in penetration testing.

1 2 3 »

DATA PROTECTION ESSENTIAL READING

The challenge of true data protection spans databases, internal and external networks, physical and offsite storage, business partners and more. These resources offer expert perspective from the basics through specific key elements of data protection strategies.

Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody

Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response

A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change

5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it

» View All Data Protection Webcasts

Data Protection White Papers

» View All Data Protection White Papers

Attacks from China: A survival guide
Chinese cyberattack activity is back in the news this morning, with new details emerging on new attacks. Here's a collection of stories to help infosec pros better understand the threat.
#FFSec: Infosec pros who bring value to Twitter
B-Sides Boston is Saturday

More Salted Hash with Bill Brenner

White Papers

Protection for Every Enterprise: How BlackBerry 10 Security Works

Detecting and Stopping Advanced Attacks

Securing Virtual Machines and Desktops

2013 Server Security Research Report

Advanced Protection Against Advanced Threats

Advanced Threat Landscape: What Organizations Need To Know

Enhancing Security Through a Trust-Based Approach

IDC - SAP Enterprise Mobility: Bringing a Cohesive Approach to a Complex Market

A Comprehensive Strategy to Leverage Mobile

Navigating the New Mobile World

The App Happy Enterprise

Data loss prevention: Refreshing data security to meet an evolving threat environment

Two-Factor Authentication

DLP Is Not Just Good for Business, It's Vital for Business

Expert Help to Assess Your Data Loss Risks

Harvard Business Review: How Mobility is Changing the World

How Mobility is Changing the Enterprise

Mobile Commerce: The Path to Customer Engagement

How Mobility is Transforming Industries

Delivering on the Promise of Mobile ROI

More White Papers »

The Social Engineering Toolkit's evolution, goals

Dave Kennedy, creator of social-engineer.org's social engineering toolkit, gives an overview of how the program was created, and how it is always changing to keep pace with crime

By Joan Goodchild , Senior Editor

[Check out Kennedy's advice for making the most out of the toolkit in 3 tips for using the Social Engineering Toolkit]

Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody

Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response

A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change

5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it

Database security: At rest, not at risk

IT risk assessment frameworks

How to do end-to-end encryption

The Social Engineering Toolkit's evolution, goals

Dave Kennedy, creator of social-engineer.org's social engineering toolkit, gives an overview of how the program was created, and how it is always changing to keep pace with crime

By Joan Goodchild , Senior Editor

[Check out Kennedy's advice for making the most out of the toolkit in 3 tips for using the Social Engineering Toolkit]

Network security basics Protection, detection, and reaction—those are the three underlying principles your security program must embody

Computer incident detection, response, forensics Richard Bejtlich shows how to measure and improve the maturity of your incident response

A few good IT security metrics Stop counting blocked malware attachments and measure things that can contribute to meaningful change

5 key cloud security trends Cloud security is evolving rapidly—stay on top of it

Database security: At rest, not at risk

IT risk assessment frameworks

How to do end-to-end encryption

Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody

Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response

A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change

5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it