Assessing security resilience against social engineering attacks
Social engineering encompasses email phishing, telephone phishing and physical social engineering.
Social engineering aims to use the same adversarial techniques used by cybercriminals. Cybercriminals aim for the weakest link and therefore select the attack path which is most likely to yield the required results. If this is phishing or a physical attack then that is what they will use. Our social engineering services aim to offer assurance in this area.
Understanding the process
What are the typical stages?
As in other service areas, reconnaissance is the first and most important phase. This will include extensive information gathering and the use of open source intelligence to create an accurate and up-to-date picture of the nature and state of the client target. In the case of physical social engineering the information gathering can include
- Research on organisations sites and campuses
- Research on the organisations landlords and site managing agents
- Enumeration of services provided to staff at the target site
- Current and ex-staff members and key posts
- Hiring and graduate schemes
- Clients and suppliers of key and peripheral items and services
- Catering arrangements at sites
- Arrangements for disabled and neurodiverse staff
- Social media profiles
From this point, attack vectors are planned and scored based on their likelihood to succeed and the top two or three are carried forward. The prerequisites for each are made or organised and finally the two most viable vectors are carried through to the execution phase.
What type of findings have you made in the past?
During emailing phishing campaigns we have been able to elicit credentials which allow staff emails to be read. When performing telephone phishing we have been able to gain the confidence of a senior staff member at a law firm and have been able to request various actions be performed on the members work computer based on the pretext that we were calling from his IT department.
During physical social engineering we have been able to enter and move around offices unhindered, sit at arbitrary workstations and engage staff in conversation, in one instance we were even given a free lunch. In one instance for a client in the medical sector we were able to tour the client offices opening filing cabinets at will and take photographs unchallenged.
Take ACTION TODAY
Protect Your Organisation with Penetration Testing
Get started with a comprehensive penetration test today and fortify your organisation against cyber threats.