Social Engineering Testing

During the Social Engineering testing, we try to manipulate a company employees, into allowing unauthorised access to confidential information.

This allows the organisation to test their Information security policy and their employees’ fulfillment to that policy.

With this sort of tests the organisations can identify failure points and train its staff in order to prevent an actual breach.

The social engineering tests may be onsite or remote, and several techniques assist each option.

In onsite engagements the goal is gain physical access to obtain records, files and/or devices that may contain confidential information.

The onsite engagement techniques typically include:

  • Dumpster diving
  • Trusted Authority disguises, such as fire inspectors, air conditioning repairman, pest control man, etc.
  • Employee Impersonation (IT HelpDesk, New Hire and Auditor)

The onsite engagement tests for the following vulnerabilities:

  • Proper Disposal of Sensitive Data
  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Sensitive Area Security
  • Device/System Compromise
  • Technical Preventive and Detective Controls

The remote Social Engineering engagement involves the manipulation of the organisations by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI (Non-Public Personal Information) or other confidential information.

The remote engagement techniques typically include:

  • Pretext Calling (e.g Employees and Help Desk Teams)
  • Phishing: Email based (Attempting to get employees to login to orgainsation branded portals)
  • Physical honeypots (CD's & USB Keys - This uses items planted to lure employees to run payloads)

The remote engagement can include tests for the following:

  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Privacy Filtering
  • Technical Preventive and Detective Controls

Why Should I Perform Social Engineering Testing ?

Social Engineering allows organisationsto test the response to an active attack and allows an it to measure the effectiveness of the Information Security Awareness of it's employees.