Is everyone familiar with social engineering testing? It’s a test of the natural tendency of a person to trust another person’s word, rather than exploiting actual computer security holes.
Users are generally the “weakest link” in an organization’s security. Social engineering tests the effectiveness of an organization’s policies as well as employee security awareness.
Testing can be done on-site or remote. On-site testing usually has its share of funny stories. This is a good test of the organization’s physical security, check-in policies, badging, escorting, etc. Usually a “get out of jail free” card is issued the tester(s) in case authorities are summoned. Not a bad thing – it means the security-aware employee was doing their job.
Remote testing can involve telephone, carefully crafted email messages, fake websites, etc. All in an attempt to coerce the organization’s employees into revealing sensitive information or granting unauthorized access, in violation of established policies.
There’s a bit of pre-work involved:
- Information collection, such as names of key IT staff members, credentials, system information, location of systems or data, etc. using public sources
- Sometimes entire websites are built to resemble the organization’s website or a site that the testers will be trying to engage the employees to visit
- Crafting convincing email(s) and/or scripts
The testing can be performed blind (with no previous knowledge or assistance) or in a collaborative manner with the project sponsors.
Sr. Account Executive