Social Engineering Testing

Social Engineering Testing

Social engineering  testing helps to identify threats that are difficult to address, because no technical solution can protect an organization if an employee allows a hacker into the network. The goal of these attacks could be technical (breaching a network to compromise sensitive data) or physical (gaining access into restricted areas). Whatever the goal, social engineers design their attacks to take advantage of our natural tendency to be helpful, trusting, and non-confrontational.

A Social Engineering Testing is the a valuable method to identify human weaknesses within an organization.  Today’s hackers are using sophisticated attack methods and are more effective than ever before. The combination of technology, psychology, and creativity has become an extremely popular and effective way for a hacker to get access into a company’s system and steal private information. Below are some of the methods Tanner’s Information Security team uses during testing:

  • Phishing: Sending spoofed emails to employees with malicious attachments or links
  • Pretexting: Pretending to be a person of authority to get employees to perform an action that would compromise the network. (e.g. provide password or visit a compromising website)
  • Media Dropping: Asking employees to run files from a USB device or CD that contains malicious code
  • Physical Security: Attempting to bypass the company’s physical security controls (e.g. locks, motion sensors, gatekeepers) and access restricted areas

Tanner’s Process

We build our social engineering testing engagements from the ground-up and tailor each test to the targeted organization.  We start each test by using public resources to gather information on the organization, as well as a select few employees.  We then leverage this information to convince end-users to break company security policy or jeopardize the integrity of the network. There are plenty of pre-scripted tests available online, but these are ineffective because they fail to simulate the actions of real-world attacks.  Our customized approach uses the same sophisticated techniques that hackers have been using to compromise high-profile companies across the world.

Social Engineering Test Deliverable

Upon completion of the social engineering testing assessment you will receive a detailed report containing the following information:

  • Statement of the engagement’s purpose, scope and approach
  • Description and Attack methods used during testing
  • Detailed logs including:
    • Originating IP’s of compromised systems
    • Usernames/desktop names (where applicable)
    • Times of action/exploit
  • Overview of identified risk
  • Prioritized recommendations to help reduce risk