I recently wrote about Security Awareness Training, and mentioned that a well-trained staff and general employee population can be a good deterrent against Social Engineering practitioners. Social Engineering is a service offering of Halock Security Labs, and it’s probably one of our team’s favorite exercises. Social engineering is basically a test of the security awareness of your employees.
Many organizations opt not to have social engineering performed because they’re already pretty certain they would fail it. However, it can be a good indication that security awareness training is needed, if you’re looking to build a business case for training. Or, if an organization is already doing training, it’s a good test of the effectiveness of the training.
Social engineering can be performed off-site or on-site, or both. An example of off-site social engineering would be to call in by phone to unsuspecting employees to try to obtain information – email addresses, logins or passwords, information about systems, etc. Email is another form of social engineering, and obtaining information via phishing, is fairly common. Entire fake websites are sometimes built to lure unsuspecting employees to open up malware, or download applications built by the testing team.
On-site social engineering is usually quite exciting. The tester’s goal is to physically gain access to the company, access their network, access applications, and get to the goods. You’ve probably heard of dumpster diving, and though it’s still done (upon request), the methods of gaining access to company information are a bit more elegant.
Gaining physical access is usually (should be) tricky. The tester will employ some very creative ways to gain access to the building through locked entrances via tailgating company employees, hanging out with the smoking crowd, employing distraction tactics with the entrance guard. (One of our testers can cry on demand which usually can engage even the most cynical security guard.) We’ve even seen fruitcakes used!
Yes, for our clients it’s probably difficult to see a picture of one of our testers sitting in their board room, with screen prints of their payroll, but it has happened. Especially difficult if their own employees helped hold a door open for the tester to get in. We’ve embarrassed more receptionists. (Our apologies to all of the receptionists out there.)
Usually the exercise is considered done once it triggers incident response. Sadly, sometimes incident response is not triggered, which may indicate some investigation into the incident response program is needed.
A regular program of security awareness training helps make our job tougher as social engineers. And, an overall culture throughout an organization that security is important and supported from the top down. You don’t want to be the next unsuspecting recipient of a fruit cake!
Sr. Account Executive