Why do I need a social engineering excercise?
Criminal hacking is no longer a purely technical activity. As awareness of technical
security issues and their countermeasures has improved, attackers are increasingly employing other
methods to circumvent security controls - such as exploiting unsuspecting users via social engineering.
The approach of purchasing individual "silver bullet" solutions like firewalls and
IDS must be replaced by an holistic view of security that embraces technology, physical controls and people too. For
no matter how effective network security controls may be, if an organisation falls victim to a well-executed
social engineering attack, key business information assets will be at risk.
The problem is that staff awareness of social engineering tends to be weak, leaving most organisations open
to abuse both remotely and in person. But how security aware are they? How do you test your "human firewall"?
Our Social Engineering Services
Our approach is a positive mechanism to drive cultural change within an organisation. When used as part of an
internal security awareness campaign, it has been demonstrably effective in communicating the security message to staff at all levels
of the business. Below is an outline of the type of services we can undertake:
- On-line research to gain a background of the organisation, including:
- Key employee names and roles
- Employee LinkedIn profiles, Facebook pages, etc.
- Employee dress codes
- Known suppliers and utilities providers
- Ownership and lessor of building (if appropriate)
- Satellite view and street view of building
- Investigation of remote access, company portals, etc.
- Attempt to acquire sensitive and / or confidential information by telephone and email:
- Identify target email addresses and telephone numbers
- Call target employees to obtain information
- Design a fake website to capture information from target individuals
- Send personalised emails to each target to entice them to visit the fake website
- Analyse the results to determine how many individuals visited the site
- Analyse the results to determine what sensitive information was disclosed
- Attempt to gain access to head office building:
- Conduct on-site research and reconnaissance of target office
- Identify weaknesses in building and office security
- Check employee movements, dress codes, lunch breaks, etc.,
- Draft plan of on-premises attack, including roles for testers to impersonate
- Create fake ID badges, business cards, props and uniforms as necessary (e.g. hi-visibility jacket, toolbox, etc)
- Initial attempt at building access, update and adjust plan of attack as necessary
- If successful, first tester attempts to facilitate access for second tester. If unsuccessful, second tester attempts
access by alternate means
- Attempt to connect to network and discover sensitive and valuable information:
- Attempt to access network with laptop or remote-control device, or to subvert access using legitimate device
- Attempt exfiltration of network data
- "Plant a flag" to demonstrate that we have acheived access in a number of sensitive locations