Social Engineering Assessments
People tend to be trusting and helpful by nature and can often be manipulated into providing access or giving away sensitive information. Our Social Engineering Assessments using publicly available methods to research potential weak points within the social structure of the target, designing and using social attacks, and other deceptive techniques to extract account credentials to access controlled systems and/or environments
BSI make use of a mix of passive reconnaissance and active social engineering techniques to perform our social engineering assessments.
Prior to any testing, the terms of reference for the engagement are set out and agreed. This includes items such as the scope and duration of the engagement and legal indemnification to perform the assessment. This agreement will specify the methods of contact, levels of interaction and any other constraints that are required.This clarifies that all testing is performed using a recognised security assessment framework, and also that all actions are performed within the applicable laws of a given territory.
Passive reconnaissance is used to passively gather information about the target organisation’s people, technologies and data. Depending on the scope of the engagement, this will typically focus on key staff such as Directors & Board members, Senior Management, organisation structure, key IT staff and systems, the IT/Support Helpdesk and sensitive data (e.g. intellectual property). Interrogating the publicly available information, BSI can demonstrate the demonstrate the feasibility of an attacker to perform a successful social engineering or spear phishing attack and perform prioritized target enumeration.
Active social engineering techniques
Once the targets are enumerated, active attacks are performed against selected targets and locations. A number of options are available for active social engineering assessments based on the client requirement. A sample of methods available are described below.
BSI will target an agreed list of personnel by sending a specially crafted email to them in an attempt to glean sensitive or privileged information. BSI will attempt to lure the targets onto a BSI controlled website requiring a login. The website however will be setup to appear similar in look and feel to the organisation’s corporate sites and will request their corporate username and password.
Objective: Obtain corporate or remote access usernames and passwords
BSI will test the current security awareness of the organisation’s personnel by phoning staff members and requesting details that should not be given out to unauthorised callers. BSI will use scenarios based on customised information gathered to call users and attempt to convince them to provide sensitive information to the unauthorised caller.
Objective: Obtain sensitive corporate information and / or usernames and passwords
BSI consultant will go onsite to the organisation to attempt to gain access to areas which should be restricted to employees only. BSI will attempt to use techniques such as:
- Tailgating to gain access to restricted areas
- Shoulder surfing to gain sensitive information such as employee credentials
- Attempt to install physical key loggers onto employee computers
Objective: Obtain physical access to sensitive areas / computers, obtain usernames and passwords
Shane Ryan, EVP of Professional Services
Get in contact to learn more about our Social Engineering Assessments