What is Social Engineering?
Social engineering is one of the most overlooked, and arguably the most dangerous security threat that an organisation can face. In the context of cybersecurity, social engineering tactics are used to deceive or manipulate employees within an organisation to divulge confidential or sensitive information for fraudulent purposes.
Attackers can disguise themselves confidently as trustworthy individuals, and establish a level of trust with whomever they see as vulnerable and easy to manipulate. These victims are then tricked into compromising their security, and by extension, the organisation’s security as well. Social engineering can take place online or offline. In some cases, social engineering attacks have been known to take place directly within organisation premises.
Social engineering has become a very efficientform of hacking. Hence why many businesses want to take up Social Engineering Penetration Testing, to ensure their safety and security is not compromised.
Social Engineering Testing Explained
Social Engineering Penetration Testing can help you evaluate how susceptible your employees are to social engineering attacks. A social engineering pentest can be used to assess an organisation’s security policies and procedures, to see how effective they are, how deeply employees understand them and most importantly, whether they are being adhered to.
Organisations should always take great care when securing their networks and infrastructure, but it is difficult to isolate and detect if social engineering attacks are going to take place. Social engineering is considered to be a technique rather than a physical asset, and therefore even harder to detect and control. The team here at Bridewell Consulting aim to use our wealth of experience in all these techniques to educate and inform our clients how they can spot and avoid real-life attacks from taking place.
The techniques used are intended to circumvent and put technological controls in place. Therefore with enough time, an attacker may eventually succeed. Bridewell Consulting will, therefore, help your organisation take steps towards educating employees on the common types of attacks, by employing the same attacks in social engineering engagements.
We have outlined a few examples of social engineering testing.
Social Engineering Test Types
On-Site Penetration Testing
- Impersonation – as the name suggests, this technique involves disguising as an employee to get access to the premises and to reach valuable information, sometimes in restricted areas of the target company. This could involve impersonating a candidate for a job interview, a delivery person or someone who works in technical support roles. The lattermost of which is arguably what puts the company at most risk, if it were real-life social engineering attacks.
- Reverse Social Engineering – this Penetration Testing technique involves the victim blindly going to the attacker, with the attacker having established some form of trust with the victim first.
- Luring – this technique involves leaving a physical media device that lures employees to connect it to a computer system. The employees would be unaware that this device contains malware, for example.
Off-Site Penetration Testing (Social Engineering Phishing)
- Phone Phishing (Vishing) – a penetration tester may well call the organisation, pretending to be a legitimate user, attempting to find their account passwords.
- Email and SMS Phishing – Penetration testers may send employees emails or SMS texts with links to files which may contain malware, which request the users click through to the link which could give the testers access to the target’s systems.
Our Social Engineering Process
Full engagement from Bridewell Consulting will typically follow the following process:
Leaving malware-infected devices, such as a USB flash drive or CD, in a place where they will be found.
Making fraudulent communications with an employee that is masquerading as genuine and seemingly to be from a trusted source.
Fabricating false circumstances to compel victims into providing access to sensitive data or protected systems.
A highly targeted attack which focuses on a specific individual within an organisation.
How Social Engineering Testing Can Help
Social engineering training exercises, such as penetration tests can help your organisation in the following ways:
- Improve your security awareness as it pertains to your employees – i.e. enhance their ability to identify potential phishing attacks.
- Determine how effective your information security policy is.
- Step up your cybersecurity controls at identifying attacks, and in doing so, preventing them.
- Establish what an attacker could obtain from your business, by what’s publicly available.
- Develop targeted awareness training for your employees.
- Highlight issues with any operational procedures and policies.
- Target how to protect the most sensitive information within your organisation.
Professional Social Engineering Services
While Bridewell primarily focus on the most malicious types of social engineering, it’s vital to understand the physiological, psychological and technical aspects of how people are influenced. Often, people assume they are being helpful and disclose sensitive information and data because they assume the trust is there. The same techniques that people use in social engineering attacks, i.e. exploiting human weaknesses and virtues, can have a profound, long-lasting effect on a person.
We understand how cautious Penetration Testing Social Engineering may make some people, and the thought of succumbing to social engineering attacks can make people uneasy. Bridewell Consulting will work with you to develop a covert, agreeable activity that will test your organisation and employees. Through our range of tests, we can identify operational weaknesses and help you improve your organisational best practices.
Ready to Take the Next Step?
We’re here to help, so to speak with our team and learn more about how Bridewell can benefit your organisation, just complete the below form and one of our experts will be in touch.
Bridewell Consulting may contact you from time to time to keep you informed of security news and events.