Staff training and education is always the weakest link in an information security program, leading attackers to often go after your employees using social engineering attacks. While social engineering is highly effective against untrained employees, these attacks also bypass the security technology you’ve put in place. Yet social engineering testing is the least likely aspect of an information security program to be tested.
Social engineering attacks rely on human habit and behavior, taking advantage of regular communication to gain unauthorized access or information from a target. We offer social engineering assessments to identify vulnerabilities in your organization and a defensive training plan to help you protect yourself further.
For pretext calling assessments, we test the effectiveness of your security training by calling employees, impersonating a trusted partner or fellow employee, and attempt to get the targets to break security protocol by supplying unauthorized information or access. Due to the personal nature of phone calls, Pretext calling is highly effective for exposing gaps in employee security training.
PRETEXT CALLING CASE STUDY:
A social engineering client provided 30 phone numbers and names of employees, which we used to research the targets from public sources, such as Facebook and LinkedIn. Identifying personal data and habits, we used this information to target each individual with a unique approach, coercing the individuals into providing company information. At the completion of the assessment, nearly 70% of the selected users broke protocol and provided sensitive data.
Phishing is one of the most common social engineering techniques, and is a very common method for attackers to obtain internal network access. Phishing uses malicious e-mails and links which trick users into downloading malware or providing sensitive information such as user credentials.
As part of our social engineering assessments, we create a social engineering plan, send your targeted employees phishing e-mails, and report on the response. Once complete, we help you build a training plan of targeted information to help employees identify potential phishing attacks and protect both the company and themselves.
Phishing Case Study:
For a large social engineering campaign, we built and sent phishing e-mails to our social engineering client with malicious attachments via a public IP address, which was flagged and rejected by the e-mail server. Next, we incorporated a non-malicious link that impersonated the company Outlook Web App, which successfully reached its users. This directed attack allowed us to bypass spam and malware filters with ease, collecting passwords from almost 80% of the 100 employees.
ON-SITE PHYSICAL PENETRATION TESTING
On-site physical penetration attacks involve gaining access to physical buildings and datacenters within the organization. Whether through picking open a locked door or posing as a legitimate office presence in the open, unauthorized physical access to systems can be devastating to businesses of all sizes. With a team of highly-trained physical security professionals, we can identify, analyze, and provide remediation for weaknesses in your organization’s security architecture.
On-Site Case Study:
Another on-site social engineering client asked us to test their physical security against social engineers and intruders. Posing as company employees at closing time, our security experts gained access to the building by claiming to have forgotten something inside. Within minutes, we were able to install network backdoors, identify sensitive documents, and even compromise the company database, ultimately gaining access to millions of customer records.