TALK TO ONE OF OUR EXPERTS ABOUT SOCIAL ENGINEERING TESTING
Let Risk Crew help your organisation stay ahead of threats to your systems with effective security and penetration testing
GET A FREE CONSULTATIONSocial Engineering can be summed up as ‘hacking the human’. Traditional malicious hacking attacks a digital instance of an organisation (i.e. website, network or system) and attempts to gain unauthorised access or cause harm by exploiting a vulnerability. Social engineering instead focuses on a person and attempts to exploit human frailties by coercing or tricking the recipient into giving up sensitive information, clicking on a malicious link or allowing unauthorised access to property or IT estate.
In this article, we will articulate the benefits of running simulated social engineering testing, outline the most common forms of attack and explain how you remediate the weaknesses uncovered by running the tests.
With around 60 – 80% of all cyber breaches being apportioned to human failings, a well-executed and remediated social engineering testing exercise can significantly reduce the chance of a successful information or cyber security breach.
Social engineering attacks are many and varied, they all share one thing in common however, and that’s the manipulation of a person for nefarious means:
Let Risk Crew help your organisation stay ahead of threats to your systems with effective security and penetration testing
GET A FREE CONSULTATION“Tell me and I forget. Teach me and I remember. Involve me and I learn”
This adage resonates especially with defending against social engineering attacks. Users are often limited by their imagination and a false sense of security of being behind the closed doors of their workplace. Good simulated social-engineering testing not only involves the testing itself but is also evidenced by metrics and where appropriate video & audio artefacts.
Consider a simulated phishing email that is crafted in such a way that its content really sticks in the mind of the recipients. One that will capture their imagination and get them talking. Then when the users are informed that it was a test and shown the evidence that it was not a genuine opportunity to win a free holiday this will really get in their heads. Suddenly they are thinking about how they approach their emails in a different way – a cyber secure way.
The same goes for all examples, imagine a simulated attacker talks his or her way past the reception desk and onwards through to unauthorised access. This is backed up with covert video & audio evidence – again the staff are presented with this evidence, now they are not being asked to imagine an intruder attack, they are seeing with their own eyes one taking place.
This is a critical element of the undertaking – how you approach this will determine whether you get employees on board, or conversely risk alienating them and pushing them away.
First thing to remember is not to point the finger of blame at any individuals, this is about changing the culture of the whole company and should be approached in that manner. A good way of making this inclusive is to show how a senior board member was targeted and fell foul of the test.
The next step is to make sure that your policies and procedures back up the message and provide support to your employees. If you are going to be asking them to challenge strangers, then give them the back-up of a policy to make it less personal and awkward.
“Sorry, I’d love to hold the door open for you, but as per our security policy I can see you haven’t got the appropriate visitor pass on, I’ll walk you back to reception and you can get things cleared up there”
Similarly, have well-documented and easily accessible procedures in place. Have fail-safes for transferring of funds for example.
To keep the message in their heads, feed them regular, short snappy multi-media messages on the subjects in hand. Make use of posters and other collateral – for example, a poster above an access-controlled door articulating the dangers of tail-gating not only acts as a constant reminder to staff but is also a useful tool to refer to should staff need to confront an unauthorised visitor.
Risk Crew have been at the forefront of running successful, simulated Social Engineering-based testing for over 15 years.
We provide it either as a standalone product or as part of our Information Security Awareness Programme: eRiskology™
Introducing ISO 42001 – the world’s first international management system standard focused specifically on AI.…
Data breaches and cyberattacks have become daily concerns for information security professionals and business leaders.…
It is an undeniable fact that all applications and infrastructures are essentially in need of…