SOCIAL ENGINEERING TESTING

 

CGF has provided Social Engineering testing to many organizations throughout the world. During the Social Engineering testing, CGF’ experts attempt to manipulate an organization’s employees into allowing unauthorized access to confidential information. This allows the organization to test their Information Security Policy and their employees’ adherence to that policy. By hiring CGF to perform this test, the organization can identify failure points and train its staff in order to prevent an actual breach. CGF has designed techniques that can be performed both onsite and remotely.

During an onsite engagement, CGF will use various techniques to gain physical access to obtain records, files, and/or equipment that may contain confidential information.

The onsite engagement techniques typically include:

  • Dumpster diving
  • “Trusted Authority” disguises, such as fire inspectors, air conditioning repairman, pest control man, etc.
  • Employee Impersonation (IT HelpDesk, New Hire and Auditor)

The onsite engagement tests for the following vulnerabilities:

  • Proper Disposal of Sensitive Data
  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Sensitive Area Security
  • Device/System Compromise
  • Technical Preventive and Detective Controls

The remote Social Engineering engagement involves the manipulation of the organizations by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI (Non-Public Personal Information) or other confidential information.

The remote engagement techniques typically include:

  • Pretext Calling (e.g Employees and Help Desk Teams)
  • Phishing
    • Email based (Attempting to get employees to login to orgainsation branded portals)
    • Physical honeypots (CD’s & USB Keys – This uses items planted to lure employees to run payloads)

The remote engagement can include tests for the following:

  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Privacy Filtering
  • Technical Preventive and Detective Controls

 

WHY SHOULD I PERFORM SOCIAL ENGINEERING TESTING?

Social Engineering allows organizations to test the response to an active attack and allows an it to measure the effectiveness of the Information Security Awareness of its employees.