Social Engineering (SE), a part of a full and holistic penetration test, is a blend of science, psychology and art and while it is amazing and complex, it is in many situations very easy to perform. By manipulating a person, a skilled attacker can gain information, access restricted material or locations or even delegate malicious acts onto a person. In other words, with social engineering an attacker can find ways to bypass the technical defense in place to protect your business.
Any act that influences a person to take an action that may or may not be in their best interest.
In the context of information security, Social Engineering, also sometimes called "human hacking" is an often used attack method that involves the human factor as the weakest link in the defense chain. It exploits the natural trust and desire to be helpful of employees or users in order to breach security where technical methods failed. Attacks can include phishing mails, dropping a usb stick in front of an office building or walking into an office like you work there every day - or dressed as the janitor, amongst many others.
Social Engineering poses a real threat to business which is often overlooked or tagged as unlikely to happen. It is not unusual that devices within the corporate network are considered to be trustworthy but walking into an office and plugging into one of the many slots is not as hard as it initially sounds, and the bigger the office, the easier it gets.
Your employees need to know how to detect and react to each of the following scenarios, amongst others, as well as where to report them to, to effectively strengthen your defense on every level.
To extract information, walking through an office can be enough. Information can be obtained through shoulder surfing, from black boards, ongoing presentations, dashboards, sticky notes and documents on desks.
Stealing documents is a sure way to get valuable information. Documents on desks, unlocked workstations, thumb drives and optical media or even backup disks are easy prey to someone on the inside.
Installing key loggers, malicious thumb drives or deploying malicious devices to record audio can provide the attacker with remote access or even login credentials to certain applications.
Testing the physical security of your office and the behavior of your employees to intruders is one way to test for social engineering. But not all social threats come through personal contact, phishing campaigns and information reconnaissance through email and social media platforms are another risk factor that has to be addressed.
Reconnaissance is a vital part of every planned attack. By following the trail of pieces of information that your company and employees unknowingly leave behind, we can put together the puzzle that is your company's information exposure.
Phishing messages are attempts to trick users into committing an act, such as clicking on a malicious link, downloading a virus, changing the security setting to unknowingly weaken a system or login on fake replicas of websites.
The more data is collected during reconnaissance, the more precise (spear) phishing attacks can get. By learning about the hobbies, likes and dislikes of high level employees, the success rate is much higher than with group based phishing attacks.
Our Social Engineering services show your weak points and teach your employees which behavior is risky and why. It's a great addition to awareness trainings, to test how the behavior of participants changed and to remind them how these attacks can often lead to security breaches despite all the technical defensive measures.
Your employees are the best at noticing anomalies. Teach them how to handle issues properly and they will become part of your defense.
Awareness is something that has to be taught over time but in return employees learn to act right on instinct and where to report anomalies to, sharply raising the security consciousness and detection capabilities of your company.