Social Engineering
Social Engineering
Let RandomStorm’s Social Engineers safely test the security of your people and processes utilising the latest Social Engineering techniquesSocial Engineering Testing
Security breaches of corporate IT networks are often thought only to come as a result of a malicious attack from technically competent computer hackers. However, social engineering often plays a large part in helping hackers bypass the initial IT security barriers.
Overly helpful employees lacking security awareness, often provide access to corporate offices, restricted areas and IT systems where the hacker has no authorised access.
Social engineers use techniques and skills to trick legitimate employees and computer users into providing access to restricted areas and the information required to gain access to restricted IT systems. The social engineer will pose as a legitimate employee or third party with false credentials in order to trick legitimate employees and computer users into divulging useful information. This information can be used to break into the corporate IT systems. Social engineering can be performed by many means; by telephone, by forged email or by visits to corporate offices.
Social Engineering – Methodology
The security testing methodology used are based around the The Open Social Engineering Framework testing methodology.
The assessment is divided into seven steps.
These seven steps are:
- Client brief
- Intensive job scoping and research to create a threat model
- Formulation of bespoke attack scenarios based on client threat modelling
- Active social engineering engagement
- Client debrief
- Report creation
- Report presentation
Client Brief
The client is briefed by the project manager to discuss the purpose of the assessment with the customer and to confirm the agreed scope of the assessment. Rules of engagement are discussed and general admin requirements are confirmed. The consultant performing the assessment will introduce themselves via email before the social engineering test is initiated.
Threat Modelling
The consultant will take the clients requirements and research these in order to formulate a threat model that will be used as the basis of the assessment.
Attack Scenarios
Once the threat model is formulated, the consultant then formulated the bespoke attack scenarios based upon the threat model. Various attack scenarios are considered and researched before a decision is made on which attack scenarios to use based upon the researched information and likelihood of success.
Active Engagement
At this stage the social engineering consultants carry out the attack scenarios. These may be remote and performed over the telephone or Internet, or local and performed at the clients head office or remote satellite offices.
Client Debrief
At the end of the assessment the consultant will contact the customer to inform them and initial feedback will be presented to the customer.
Report Creation
The consultant creates an in-depth report focussing on providing business needs driven solutions to any issues identified. The report consists of a comprehensive PDF written report and a separate presentation containing the key messages identified during the assessment.
Report Presentation
The written PDF report and presentation are securely delivered to the customer. The consultant arranges a mutually convenient time to deliver the presentation via a web conferencing tool with a view to verbally deliver the results and key messages and to answer any questions the customer may have after digesting the written PDF report.
It may be necessary for the customer to request a follow up assessment after a given time period in order for the effectiveness of the remediation to be assessed.
Read about Social Enginering at Wikipedia
Read about the Open Social Engineering Framework