Social Engineering

What is Social Engineering?

Social engineering refers to any technique used by a threat actor that focuses on people and process, rather than on technology. The objective of a social engineering attack typically includes manipulating people into divulging confidential information or performing an activity that benefits the attacker, preferably without those people realizing. It is a common requirement of information security programs to replicate the threat of social engineering attacks through regular penetration tests.

Security testing will never be an exact science where a complete list of all possible issues that should be tested can be defined. Indeed, security testing is only an appropriate technique for testing the security of web applications under certain circumstances. Our penetration test team will push your system to its limits in a barrage of simulated cyber attacks, discovering every possible vulnerability so that your organization gets the complete picture and 100% of your data is safe.

Why is Social Engineering Testing important?

People are often more susceptible to compromise, compared to technology, as they represent a direct entry point into a target network. Consequently, threat actors often find success when targeting people and processes. In the meantime, it’s common for organizations to focus on securing their technology. While technology is very important, it doesn’t represent the entire attack surface of a given organization. Including social engineering tests in an information security gives more complete assurance against real world threats.

A successful social engineering penetration testing  has well defined objectives and covers several approaches. These include remote techniques including leveraging email, text message, phone call and even post. For complete coverage, in person techniques that achieve physical access should also be conducted. When all these approaches are included in a social engineering test, a true picture of strengths and weaknesses, as relates to people, begins to emerge.
Benefits of social engineering tests include:

  • Identify vulnerabilities relating to attacks that leverage people and process.
  • Understand the likely impact of an attacker that uses social engineering.
  • Gain insight into what people and process defenses are currently working well.
  • Get assurance that includes consideration of real-world threats such as phishing.

Organizations that include social engineering threats in their assurance program tend to receive greater insights into their overall information security posture. It is becoming increasingly common assurance program to require that people and process are thoroughly tested on a regular basis, because that’s what attackers are targeting too.

In the past, it was common for attackers to focus on Internet facing infrastructure for their attacks. Technology was generally not well defended and focusing on it was low risk and high reward for most attacker objectives. Times have changed. Technology is typically better defended, and attackers are finding more success when targeting people and process. This shift has occurred, but many organizations have failed to keep their threat model up to date.

Did you know:

  • Social engineering attacks were responsible for the theft of over $12 billion worldwide during a recent three-year period.
  • 55% of all emails are spam.
  • 97% of all attacks use some form of social engineering!

It’s clear that social engineering is a real-world threat. The impact and likelihood of such an attack succeeding against an organization typically needs to be understood. A social engineering test hands that knowledge to an enterprise and helps feed into a robust cyber security strategy.

30000 +
Hours Security Experience

Takes 10 000 hours to become an world class expert. Became possible because we adore our work.

120 +
Happy clients

We are preferred provider of cyber security services and products. Strong cyber security is revenue generator.

300 +
Penetration tests

We have found more than a thousand vulnerable web sites, applications and devices.

1000 +
Protected

More than a thousand protected websites, applications and devices from criminals and malicious software attacks.

GET A FREE QUOTE

There is a wide range of social engineering techniques. Attacks can be carried out by e-mail (phishing), telephone or physical intrusion. They are generally based on a set of different techniques combining IT and relational skills: phishing and spear phishing, clones of interfaces, malware, malicious devices, impersonation, spoofing of phone numbers, manipulation and persuasion, dumpster diving, etc.

Phishing and spear-phishing tests

Phishing is the most common type of attack. It is both simple to implement and potentially very effective.

It is an e-mail attack, which can be sent to a large number of people (phishing) or to a much smaller number of targets (spear phishing). Phishing e-mails usually contain links that redirect the recipient to fake web pages (clones) or malware that can be sent as an attachment or a download link.

The most sophisticated phishing emails are personalized to be credible: a realistic situation for the targets of the email, identity theft in order to pretend to be a trustworthy person, a phone call accompanying the email in order to reinforce the legitimate appearance of the request, etc.

A social engineering audit can include different phishing scenarios of progressive difficulty in order to train employees to detect increasingly sophisticated threats.

Vishing tests

Vishing (voice phishing) is the telephone equivalent of phishing. This type of attack does not usually target a large number of people, but it can provide sensitive information that victims would not have normally agreed to communicate by e-mail (for example: passwords).

The basic principle is to establish a relationship of trust through conversation. This requires the attacker to have capacities for listening, argumentation and persuasion. The most sophisticated attacks are based on identity theft as well as spoofing the number of the person the attacker claims to be.

A social engineering audit may include vishing to complement phishing attacks. This makes employees aware of other types of threats that are more insidious and more difficult to detect. Phishing and vishing attacks are major threats because they can be carried out by a large number of attackers as they do not require physical access to the premises of the targeted company.

Physical penetration tests

Physical intrusion is an even more sophisticated form of attack, by an attacker who is willing to spend more time and take more risks to target a company.

In this type of attack, the principle is to break into the company by posing as a legitimate visitor: technician, service provider, employee, etc. The attacker may then seek to obtain confidential information by various means: stealing machines, connecting to the internal network, distributing USB keys infected by malware, manipulating employees, accessing a server room, etc.

In a security audit, physical penetration tests can be used to evaluate physical access systems, control procedures, information barriers, and employees’ reflexes when they are faced with an unknown person.

Baiting

This is where a user is enticed to do something for the attacker based on bait. For example, a USB stick could be left in a parking lot with the hope that a target person will pick it up and plug it into their laptop. The stick could be of high value and contain interesting looking files, which are really malware. A more targeted version of this could be using snail mail to post something like a target person, perhaps with a pretext of it being a price (nice packaging goes a long way) or having been sent from someone they know.

Tailgating

This is one of many forms of physical social engineering. Physical social engineering often has the objective of introducing something malicious to a building, such as malware, or removing something valuable, such as sensitive paperwork. Tailgating is the act of waiting for an authorized person to access a restricted area and following them through closely before the restriction e.g. a door reengages.

There are many other types of social engineering, and these are designed to give a flavour of what attackers typically do.
A social engineering test will use one or more techniques like those described in order to test the protections provided not only by technology, but also by people and process. There must be clear objectives and rules of engagement, and it must be carried out by a reputable firm that understands risk reduction and is familiar with local laws.

What Are the Stages of Pen Testing?

Through penetration testing, you can proactively identify the most exploitable security weaknesses before someone else does. However, there’s a lot more to it than the actual act of infiltration. Pen testing is a thorough, well thought out project that consists of several phases:

1

Planning and Preparation

Before a pen test begins, the testers and their clients need to be aligned on the goals of the test, so it’s scoped and executed properly. They’ll need to know what types of tests they should be running, who will be aware that the test is running, how much information and access the testers will have to start out with, and other important details that will ensure the test is a success.

2

Discovery

In this phase, teams perform different types of reconnaissance on their target. On the technical side, information like IP addresses can help determine information about firewalls and other connections. On the personal side, data as simple as names, job titles, and email addresses can hold great value.

3

Penetration Attempt and Exploitation

Now informed about their target, penetration experts can begin to attempt to infiltrate the environment, exploiting security weaknesses and demonstrating just how deep they can go.

4

Analysis and Reporting

Pen testers should create a report that includes details on every step of the process, highlighting what was used to successfully penetrate, what security weaknesses were found, other pertinent information discovered, and recommendations for remediation.

5

Clean Up and Remediation

Pen testers should leave no trace, and need to go back through systems and remove any artifacts used during the test, since they could be leveraged by a real attacker in the future. From there, and organization can begin to make the necessary fixes to close these holes in their security infrastructure.

6

Retest

The best way to ensure an organization’s remediations are effective is to test again. Additionally, IT environments, and the methods used to attack them, are constantly evolving, so it is to be expected that new weaknesses will emerge.

What are the different types of penetration tests?

BLACK BOX TEST
BLACK BOX TEST

Аlso known as a blind test. Requires zero knowledge of the company’s assets. Penetration testers perform a complete reconnaissance phase to uncover the company’s assets and get to pick their own path around security controls as well as executing a strategy of their own.

GRAY BOX TEST
GRAY BOX TEST

In this type of tests,  penetration tester knows the role of the system and of its functionalities, and also knows (though not extensively) its internal mechanisms.

WHITE BOX TEST
WHITE BOX TEST

The term “white box testing” was originally used to describe a form of software testing where detailed information on the software application was provided to the person reviewing the code.The same principle can be applied to other areas of review, such as social engineering testing

We generally recommend a white box methodology if you’ve never had a social engineering penetration test before. This allows us to assess your technology first and give you a matrix of the success of different attacks vs different parts of your defensive technology. Then  you know what’s possible in theory. With that out of the way, we put the theory to practice and use known weaknesses against people. It is unwise to think of people, process and technology as unrelated, and by using the approach you get a sense of security posture over the three as a whole. This type of approach typically gives more thorough assurance levels.

For organizations that are more concerned with what a particular threat actor could likely do without any prior or inside knowledge, a black box approach can be more appropriate. This may give you less information at the end of the engagement, but it will more closely replicate an outside threat.

Our Advantages

Our cyber security team will push your system to its limits in a barrage of simulated cyber attacks, discovering every possible vulnerability so that your organization gets the complete picture and 100% of your data is safe.

  • Superior Skills and Experience
  • Reputation
  • Competitive Pricing
  • Results Designed For Real Decisions

Find the Risks. Understand the Consequences. Sleep better.