Cybersecurity Tactics: Social Engineering Testing
posted Feb 14, 2017 by Daniel M. Andrea, CPA, CITP, CISA in the Business Blog
Employees are still a weak link in many organization’s cyber security efforts. As part of an overall Vulnerability Assessment program, companies are increasingly utilizing social engineering testing. Social engineering testing comes in many forms, a common practice we recommend is conducting (phishing) scams on your employees to determine your business’ potential vulnerability to cyber-fraud and need for security awareness training. Learn why this has become a prevalent cybersecurity defense mechanism in recent years.
Common social engineering tests
Social engineering tests imitate actual phishing scams to evaluate the security of an organization’s IT infrastructure. The organizations can safely attempt to exploit vulnerabilities by sending:
- Emails meant to entice the recipient to open a file, which is actually a distorted PDF, that when viewed, gives the hacker access to the user’s system.
- Emails meant to entice recipient to click on a link to a malicious website
- Emails enticing usernames and passwords out of recipients
- Malicious USB, CDs, and/or mobile apps which contain “Trojan” payloads and “phone home” capabilities.
- Caller ID spoofing (modifying caller ID to spoof the caller’s identity and access sensitive information)
How are social engineering tests executed?
Companies can choose to do an external test, which simulates an attack from the outside on specific servers within your internal network. This is the most common choice. The other option is an internal test, which simulates what someone could do from the inside (disgruntled employee for example.)
- Planning and prep- During the planning process, the organization must outline the scope and objective of the test. You must pinpoint which machines, systems, network and staff members will be targets of the test.
- Reconnaissance- This is the analysis of the preliminary information with the objective of obtaining information on your company’s systems.
- Discovery- The social engineering tester will then use automated tools to scan the system for weak points.
- Analysis of Information and Risks- The tester will then analyze and assess the information to define goals of the test, who the targets of the test will be, any potential risks to the system, and how long it will take.
- Active Intrusion Attempts- Considered the most important step, this is the point when the tester will attempt to gain access to the unsuspecting user’s system.
- Final analysis- After intrusion attempts, the tester will be able to pinpoint the vulnerabilities in the system and how successful the existing cybersecurity policy is.
- Preparing the report- The tester will prepare a report containing an overall summary of the test(s), details of all vulnerabilities discovered, and suggestions for future improvement.
Be careful not to cross the ethical line
As you might imagine, there are some risks involved with these tests. Successful tests depend on following a strict code of ethics. You must ensure all testing activities are authorized and within legal limits. Companies must take great care not to disclose any sensitive or confidential information during a test.
How often should you perform a social engineering test? We suggest tests should be carried out on a regular basis, to ensure everyone is on board with regulations and cybersecurity protocol. Also, it’s a good rule of thumb to conduct a test every time a new office location is established, after network upgrades, when new devices are added to the system etc.
Questions? Contact me or any member of our Information Security Services Team.