SOCIAL ENGINEERING

Social engineering refers to any technique used by a threat actor that focuses on people and process, rather than on technology.

The objective of a social engineering attack typically includes manipulating people into divulging confidential information or performing an activity that benefits the attacker, preferably without those people realizing.

Today, it is recognised as one of the greatest security threats facing organisations.

Benefits of social engineering testing

People are often more susceptible to compromise, compared to technology, as they represent a direct entry point into a target network. In the meantime, it’s common for organizations to focus on securing their technology. While technology is very important, it doesn’t represent the entire attack surface of a given organisation. Including social engineering tests in an information security program gives more complete assurance against real world threats.

This type of engagement can also be used to satisfy regulatory or compliance requirements around Security Awareness Training (SAT), as well as assessing technical controls and incident response procedures.

 

Types of testing

A successful social engineering testing program has well defined objectives and covers several approaches including both remote and physical. Remote social engagement can take the following approaches:

Phishing: The most common threat. Attacks are not targeted and may be directed at multiple users. EDGENETIC will devise a scenario and capture statistics such as the number of e-mails delivered, how many were opened and whether malicious links were clicked. EDGENETIC will also provide information on whether any credentials were harvested.

Spear-phishing: Highly targeted attacks making extensive use of information gathered via enumeration/reconnaissance or threat intelligence. Typically associated with Red Teaming.

Whaling: Phishing attacks targeted at senior members of an organisation. Again, typically associated with Red Teaming.

Vishing: Voice phishing. EDGENETIC consultants can attempt to coerce employees such as those working on a helpdesk to reveal sensitive information.

 

 

Physical social engineering engagements can include:

– Tailgating
– Employee Impersonation
– Posing as a 3rd Party
– Identifying CCTV Weak Points
– Access into Buildings
 

Benefits of social engineering tests include:

– Identify vulnerabilities relating to attacks that leverage people and process.

– Understand the likely impact of an attacker that uses social engineering.

– Gain insight into what people and process defences are currently working well.

– Get assurance that includes consideration of real-world threats such as phishing.

Organizations that include social engineering threats in their assurance program tend to receive greater insights into their overall information security posture. It is becoming increasingly common for assurance programs to require that people and process are thoroughly tested on a regular basis, because that’s what attackers are targeting too.

The Problem

In the past, it was common for attackers to focus on Internet facing infrastructure for their attacks. Technology was generally not well defended and focusing on it was low risk and high reward for most attacker objectives. Times have changed. Technology is typically better defended, and attackers are finding more success when targeting people and process. This shift has occurred, but many organizations have failed to keep their threat model up to date.

 

About the Service

Social engineering attacks are commonplace and take various forms. Examples include:

A social engineering test will use one or more techniques like those described in order to test the protections provided not only by technology, but also by people and process. There must be clear objectives and rules of engagement, and it must be carried out by a reputable firm that understands risk reduction and is familiar with local laws.

A World Leader in CREST Accreditations

Get a free quote

We are proud to be one of the few global companies that is fully certified by The Council of Registered Ethical Security Testers (CREST) across all key disciplines.

The Council of Registered Ethical Security Testers (CREST)