Social Engineering Assessment
The old saying that you are only as good as your weakest point is absolutely true- especially when factoring in the “people” aspect of IT security. Regardless of technologies you implement or physical barriers you erect, the strength of your controls comes down to the training, awareness, diligence and honesty of your company insiders. Comprehensive security policies and security awareness training are fundamental controls within an effective security program. Testing these controls is also critical to validating and improving program effectiveness.
Social Engineering Framework
Interactive Security’s Social Engineering Framework consists of three A’s: Analyze, Assessment, and, Analysis. This framework should be implemented yearly in order for clients to see if they are improving or need to take further actions.
- First, we will Analyze the information which is deemed to be of value and to be the focus of the engineering phase. These items are typically sensitive or proprietary to company operations.
- Second, we will Assess all the information based on input from the Analyze Phase by utilizing only free, open source channels. The collection phase utilizes both automated and manual discovery processes.
- All collected information is manually inspected in detail for possible disclosure of sensitive information requested during the Identify Phase.
Once information is found and analyzed, every finding is documented in a prioritized list. Interactive Security includes this list along with recommendations in the final report.
Social Engineering Scope
Each of Interactive Security’s Social Engineering Assessments are broken down into either black box or white box methods. These style of assessment approaches are designed to give clients two different options for level of effort.
In a black box style assessment, the social engineer begins the assessment with no prior information from the client, in order to see what types of intelligence (OSINT) they can find online. For these campaigns, the social engineer will gather E-mail addresses, phone numbers and information about the physical security controls to develop custom attack vectors.
Benefits of black box assessments:
- More realistic – Interactive Security’s social engineers see what they can find without guidance of client
- Best method to simulate outside threats
During white box assessments the client provides the targets they wish to be tested, such as: phone numbers, E-mail addresses, and locations.
Benefits of white box assessments:
- Client controls what information and which employees they want assessed
- Best method to simulate insider threats
Attackers utilize intelligence gathering tactics against companies to search for information that could be found in job postings, employee social media accounts, or even third-party associations. Once intelligence is collected, they leverage it to create social engineering campaigns. Interactive Security utilizes the same tactics to gather intelligence.
Phishing has been the starting point of many data breaches. It is imperative that companies are continuously training and testing for this style of attack. Our Phishing Assessments test what percentage of client employees will pass or fail to a phishing campaign.
Verbal Phishing (Phone/Voicemail)
Verbal Phishing is eliciting sensitive information via the phone. Interactive Security utilizes multiple approaches to gain information, such as spoofing phone numbers and impersonation, just as a malicious actor would.
A Physical Assessment can validate clients’ physical security controls in place and company policies or show them areas that need improvement.
Physical security controls, which Interactive Security will assess:
- Video surveillance
- Security guards
Company policies that may be tested:
- No tailgating policies
- Question visitors who are not wearing guest badges
- Dumpster driving
- USB Drops
Interactive Security has a full suite of social engineering assessment services that test all aspects of your human control areas. Interactive Security can customize these testing programs to evaluate the risk of information disclosure, using technical methods like online phishing, staff impersonation, pretext calling and physical control tests such as piggy-backing, lock testing, and other physical entry methods.
Are you wondering about your organization’s data risks and are interested in a Social Engineering Assessment? Contact the Interactive Security team at 267-824-2500 or firstname.lastname@example.org. We can help you understand the specific steps your organization needs to take to get up to date.