Social engineering pentesting against your employees (UPDATED)

Thursday

One of the main points during my presentation at the security conference was that social engineering has become an important part of phishing or targeted attacks. You can patch your systems against vulnerabilities but you cannot patch your employees. (that would be a nice feature).
Results of user awareness sessions may not be perfect all the time. But what about pentesting as user awareness sessions? We do pentests against the infrastructure but why don't we do it against the people? Not just to enhance normal pentests. Employees are as much part of the security process then the infrastructure. Some food for thought.
Anyway, here is a very interesting article from Lenny Zeltser: How to integrate social engineering into an information security assessment.

Research and design a scenario

You can get creative with scenarios that help achieve your goals, whether performing the test via email, phone, postal mail, instant messenger or in person. You will need to research the organization if you do not already understand its business, jargon, corporate hierarchy and social structure.

Next, you will need to think like an attacker, exploiting people's psychological inclinations such as:

People want something for nothing: "You won the office raffle! Click here to claim your gift."
People empathize with those in trouble: "Please reset my password. My boss will kill me if I don't submit the time sheet in time!"
People reciprocate a favor: You picked up the papers the person dropped; he holds the door to let you in.

Your scenario should specify the individuals or groups designated for social engineering, timing of the test, location, and persuasion tactics. Account for laws, contractual commitments, policies, and the company's culture. Also consider the possibility of something going wrong, and define back-out and escalation procedures.