SOCIAL ENGINEERING TESTING
What is Social Engineering?
Social engineering, in the context of information security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. The difference to a real attack is the fact, that testing is done with the explicit written consent of the client and the purpose is to produce a comprehensive report and to close down security holes, before a real attacker can exploit them. As of 2018, in 95% of all tests, we managed to obtain sensitive information employing social engineering techniques.
Why Social Engineering Testing?
Does the best IT Security help, if employees give out sensitive info?
Do staff click on links if they seem to get an email from a manager?
Can employees be tricked over the phone when being impersonated?
Is the physical security weak?
Can attackers dumpster dive? Is tailgating possible?
Are users educated around Social Engineering threats?
Who should be Social Engineering tested?
Any business holding confidential data or customer information
Businesses who don’t want lawsuits or legal consequences
Businesses who have fallen victim already and want to be prepared
Businesses who must comply to industry or government compliance
Businesses who heard that a competitor has been hit by an attack
Businesses who know that being pro-active avoids costly breaches
How often should a Social Engineer Test be carried out?
A full audit should at least be done once or twice a year and the results should flow into a company security policy. We recommend regular user education, which we also provide.
Social Engineering audit services
During a social engineering audit, we can perform tests electronically (computer based). We gather a lot of open source information prior to any engagement through online information gathering.
Generic phishing email campaigns sent to the staff with a call to action (clicking a link, playing a video). For example a CNN news alert of a fake terrorist attack or the apparent death of a celebrity.
Spear phishing email campaigns by sending crafted emails, which seem to come from a superior and get the user to click a link and/or provide confidential information. We also get employees to visit fake websites, which simulate infecting their machines or are used to “phish” credentials.
Spear phishing in conjunction with the simulated exploitation of the endpoint (Gold package)
All services come with most comprehensive reporting, user tracking and classification
SOCIAL ENGINEERING PACKAGES
SILVER Package
Deliverables per user:
1 email exposure report showing all publicly exposed email addresses
1 phishing email per user with a news flash alert containing a link to click
1 spear phishing email (i.e. pretending to be HR) with a call to action
Comprehensive reporting including detailed statistics and analysis
GOLD Package
Deliverables per user:
1 email exposure report showing all publicly exposed email addresses
1 phishing email per user with a news flash alert containing a link to click
1 spear phishing email (i.e. pretending to be HR) with a call to action
1 exploit will be delivered in order to compromise the endpoint
Comprehensive reporting including detailed statistics and analysis
Download Flyer and Sample Reports
References and Certifications
If you would like to speak to one of our existing customers, we are happy to arrange that. Please note that a lot of customers wish to remain anonymous and not to serve as a reference due to the sensitivity of the work we perform. Naturally we always comply with our customers. We do however have some clients who are happy to serve as references. Should you require validation of our consultant’s certifications, we can arrange that as well.