Social Engineering Penetration Testing
Are You Ready To Work With Us For A Safe World? Let ‘s do it !
Social engineering is one of the fastest growing security risk concerns today. In fact, the FBI’s 2019 Internet Crime Complaint Incident Report notes that companies lost an alarming $57,836,379 as a result of social attacks. Included in these social attacks are vishing and phishing. This report confirms that criminals actively target the human network via social engineering.
In a social engineering attack, criminals use social skills such as influence tactics to elicit information about an organization or its computer systems. We define social engineering as “any act that influences a person to take an action that may or may not be in their best interest”. In view of this, at Social-Engineer we study the psychological, physiological, and technological aspects of influence. We use our unique insights to provide realistic simulated social engineering attacks. Our cutting-edge approach—combining the human network with the digital, provides your organization with the optimal security awareness training.
Social engineering attacks come in a variety of forms, but the most common are phishing, vishing, smishing, impersonation, dumpster diving, USB drops, and tailgating.
Phishing is a method that occurs via email and attempts to trick the user in to giving up sensitive information or opening a malicious file that can infect their machine.
Vishing is similar to phishing but occurs via phone calls. These phones calls attempt to trick the user into giving up sensitive information.
Smishing is similar to phishing but occurs via sms text messages. These text messages have the same intent as phishing.
Impersonation is a method where the attacker attempts to fool a person into believing they are someone else. For example, an attacker could impersonate an executive with the goal of convincing employees to provide financial payments to fictitious vendors or to grant access to confidential information.
An impersonation attack could also target a user with the goal of gaining access to their account. This could be accomplished by requesting a password reset without the administrator verifying their identity. Another example of this attack would be pretending to be a delivery person. In some cases, delivery personnel have little restrictions and can gain access to secure areas without question.
Dumpster diving is a method where an attacker goes through not only trash but other items in plain sight, such as sticky notes and calendars, to gain useful information about a person or organization.
USB drops is a method that uses malicious USB’s dropped in common areas throughout a workspace. The USBs typically contain software that, when plugged in, install malicious software that can provide a backdoor into a system or transfer files with common file extensions.
Tailgating is a method that is used to bypass physical security measures. You typically see this method used in locations that require a person to scan a key fob to gain entrance. In this type of attack, the attacker will follow closely behind an employee and enter the room when they scan their key fob and open the door.
Users are commonly referred to as the “weakest link” when it comes to security but yet users still have more than the necessary permissions to perform their jobs.
So it would only make sense to pen tests those users. These pen tests can show who within a company is susceptible to the attacks previously discussed and more.
Social engineering pen tests are typically done in a hybrid fashion combining on-site and off-site tests.