First Base Technologies

Contact Us
Phone 01273 454525
email

Social Engineering Services



Why do I need a social engineering excercise?

Criminal hacking is no longer a purely technical activity. As awareness of technical security issues and their countermeasures has improved, attackers are increasingly employing other methods to circumvent security controls - such as exploiting unsuspecting users via social engineering.

The approach of purchasing individual "silver bullet" solutions like firewalls and IDS must be replaced by an holistic view of security that embraces technology, physical controls and people too. For no matter how effective network security controls may be, if an organisation falls victim to a well-executed social engineering attack, key business information assets will be at risk.

The problem is that staff awareness of social engineering tends to be weak, leaving most organisations open to abuse both remotely and in person. But how security aware are they? How do you test your "human firewall"?


Our Social Engineering Services

Our approach is a positive mechanism to drive cultural change within an organisation. When used as part of an internal security awareness campaign, it has been demonstrably effective in communicating the security message to staff at all levels of the business. Below is an outline of the type of services we can undertake:

  • On-line research to gain a background of the organisation, including:
  • Key employee names and roles
  • Employee LinkedIn profiles, Facebook pages, etc.
  • Employee dress codes
  • Known suppliers and utilities providers
  • Ownership and lessor of building (if appropriate)
  • Satellite view and street view of building
  • Investigation of remote access, company portals, etc.
  • Attempt to acquire sensitive and / or confidential information by telephone and email:
  • Identify target email addresses and telephone numbers
  • Call target employees to obtain information
  • Design a fake website to capture information from target individuals
  • Send personalised emails to each target to entice them to visit the fake website
  • Analyse the results to determine how many individuals visited the site
  • Analyse the results to determine what sensitive information was disclosed
  • Attempt to gain access to head office building:
  • Conduct on-site research and reconnaissance of target office
  • Identify weaknesses in building and office security
  • Check employee movements, dress codes, lunch breaks, etc.,
  • Draft plan of on-premises attack, including roles for testers to impersonate
  • Create fake ID badges, business cards, props and uniforms as necessary (e.g. hi-visibility jacket, toolbox, etc)
  • Initial attempt at building access, update and adjust plan of attack as necessary
  • If successful, first tester attempts to facilitate access for second tester. If unsuccessful, second tester attempts access by alternate means
  • Attempt to connect to network and discover sensitive and valuable information:
  • Attempt to access network with laptop or remote-control device, or to subvert access using legitimate device
  • Attempt exfiltration of network data
  • "Plant a flag" to demonstrate that we have acheived access in a number of sensitive locations

Hover over each segment of the diagram below to read about each stage of the testing process.
More Information

Please see our Security Awareness page for more information about that service.

See what our clients say about us here


Contact Us
+44 (0)1273 45 45 25

CREST


ISO 27001


ISO 9001


CREST Cyber Essentials

E&OE
© 2001-2015 First Base Technologies LLP - All Rights Reserved.
First Base Technologies LLP is a limited liability partnership registered in England & Wales, number: OC352070
Website designed and mastered by
didilogix


W3 Org says this page is HTML 4.01 compliant