A social engineering test is a simulated attack from the perspective of a bad actor, such as a malicious hacker. The objective is to simulate a cyber security attack and attempt to uncover security vulnerabilities that might otherwise be discovered by hackers. In doing so, you would gain valuable insight into the security posture of the assets and be able to fix them before hackers are able to cause serious damage by exploiting them.
Hackers who use social engineering are constantly coming up with new means of attack; that’s why it’s so important to work with third-party testing professionals who are on the cutting edge of the latest attack trends, rather than relying on a DIY social engineering approach alone.
We get this question a lot and it’s not easy to answer until some level of scoping has been performed. Our scoping process is quick, online, and painless. But overall, the complexity of the operation will ultimately determine its cost. For example, when determining the work effort, we take the following into account: the number of targets (email, telephone) and the number of physical locations (onsite), and travel time between physical locations, if applicable.
A social engineering test should result in a list of actionable items that reduce the likelihood of successful cyberattacks. These steps often begin with basic improvements and progress to more advanced, customized solutions over time.
Multi-factor authentication (MFA) is a common way for immature organizations to improve their protection against cybercriminals. This approach requires an individual to provide multiple login credentials or factors before they can access a restricted area. Factors can include knowledge, possession, or inherent property. Knowledge is something only the user knows (Like a password), a possession is something only the user has (Like a phone or token generating device), and an inherent property is something only the user is (Like a fingerprint).
The intense focus that many organizations currently have on protection against malware attacks is certainly justified, but it often causes them to overlook physical security. A follow up engagement will allow the social engineer to check improvements in security and training.
Training and ongoing communication remain the best ways to ensure that employees stay alert and diligent to potential social engineering attacks. Not only will employees be more empowered to take action to protect their organization, but they will also be more apt to follow procedures such as not sharing information they shouldn’t. Email filtering can also help assist in stopping some phishing emails from getting to users.
You can also test your training and communication effectiveness by initiating email phishing campaigns or hiring a firm to do spear phishing or vishing attacks and then adjusting training and communication based on those results. It is critical that employees not be punished for falling for a social engineering event but are rewarded for reporting and identifying them.
An effective employee security awareness program should clarify that everyone in the organization is responsible for IT security. It will also identify the steps that need to be taken if an incident or suspected incident arises. Users should be able to identify who to contact, details on the event that transpired, and who or what was involved in the incident.
A good program should include awareness about; data, network use, conduct, social media, personal devices, protecting company devices, phishing emails, social engineering tactics, types of viruses, and malware. Employees should also be trained in what information they can share, what information they should not transmit over the phone, and how to verify that the caller or email originator is authorized to receive the requested information.
All companies need social engineering activities to test their training effectiveness and identify where additional training or communication may be required. Organizations are sometimes slow to realize that people pose the most significant risk to organizations as they do not always react consistently. In 2020, 95% of cybersecurity breaches were caused by human error. Social engineering engagements will allow you to safely test your team’s skills through training and help identify areas where additional training is needed.
The difference between phishing and spear phishing is that phishing is a more generic attack that goes to a broad group assuming that at least one person will act and provide usable information. Spear phishing is more targeted and may include information specific to an individual or company, generally gathered from publicly available information or information learned through a broader phishing event. In either case, employees should be trained to recognize these types of attacks and escalate appropriately. Social engineering poses the greatest threat to any organization and can often act as footholds to much larger attacks.