Social engineering assessment is a crucial step to achieve protection from data breaches.
Cybersecurity hacks are becoming more prevalent with increasing complexity. These have become severe threats that cause irreparable financial, operational and reputational damages in various industries. To strengthen the security of a company, due diligence must be exhausted to avoid these potential pitfalls.
In a nutshell, social engineering is the art and science of exploiting the human element’s unpredictability to access a system. This is one of the main ways hackers find their way inside vital systems to tamper and steal private company information.
With more technological advancements, social engineering has evolved in a variety of ways. It has grown increasingly challenging to keep up with all the growing threats and train employees about these threats. Social engineering tests can help provide a comprehensive picture of employees’ preparation and presence of mind.
The Methodologies of Social Engineering Assessment
Social engineering involves malicious attacks that focus on human manipulations and interactions. It takes on different forms to exploit several loopholes where human actions are involved. The following are examples of social engineering assaults that have compromised several systems.
This type of scam uses text and email as platforms, creating messages with a sense of fear, urgency, or curiosity for its victims. The intention is to convince its targets to share sensitive information such as passwords or click attachments containing malware or link to malicious websites.
The term phishing has its roots from the word fishing. It is an analogy with the sport of angling wherein scammers are luring their victims with a malicious email to “fish” vital financial data or access credentials such as passwords from a “sea” of online users. It was coined around 1996 when hackers stole America Online accounts and passwords.
Software as a Service (SaaS) or Webmail is the top online industry targeted by phishing during the first quarter of 2020, according to data from Statista.com. The list indicates that various online platforms experience phishing at some point.
SaaS / Webmail: 33.5 percent
- Financial institution: 19.4 percent
- Payment: 13.3 percent
- Social media: 8.3 percent
- Telecom: 6.9 percent
- E-commerce: 6.2 percent
- Cloud storage: 3.9 percent
An example of phishing is when an attacker will send an email that an online service requires immediate action because of a policy violation. With this urgency, a user with no presence of mind will just mindlessly click links within that email to solve the problem presented.
The links will seem legitimate, but it’s not. It can harvest access credentials and passwords once the unsuspecting user submits the form to the attacker.
Similar to phishing, baiting is an attack that piques the greed or curiosity of a victim. While phishing uses texts or emails, baiting can involve the use of actual physical media.
A common bait is when attackers leave flash drives in visible places such as elevators, parking lots, and restaurants. Little do victims know, the flash drive has malware. The victim will unwittingly plug this flash drive in their home or work computer and will automatically install the malware.
Its virtual version uses advertisements that link to malicious websites when the victim clicks the ad itself. This will then proceed to a download link for a malware application.
This mode of social engineering also takes a page from the phishing playbook. It originates from a message or advertisement that discusses an imaginary threat or a false alarm. Because of this premise, the attacker will encourage the downloading and installation of scareware. This is a deception software that can harvest vital data or information.
Vishing stands for voice phishing, and it uses telephone conversations to pry away vital information from unsuspecting victims. It’s a telephone scam that uses identity fraud and theft to fool people. Attackers will pretend to be from a reputable government agency or company to get vital information from their targets directly.
In recent years, this has grown in prominence. In 2018, a study projected that 50 percent of mobile traffic would be scam calls moving forward. According to the 2018 Scam Call Trends and Projections, half of over 50 billion calls in America will be exposed to fraud unless measures are put in place to combat attacks.
The Psychology Behind Social Engineering
Social engineering exploits human weaknesses to gain an advantage. The core of these criminal activities relies on psychological manipulation to lull victims about making security lapses.
This criminal activity does not happen in an instant. It takes on several steps, with the attacker lying in wait like a patient predator:
The suspect does background research about the victim to survey any potential vulnerability that can be exploited.
- When access is gained, the attacker attempts to gain the victim’s trust and introduce an urgent or desperate scenario that will compel drastic moves that bypass security practices.
- The goal of the attack is to acquire sensitive information or to get access to essential resources.
The best defense against social engineering is to understand how the attacker thinks. This is one of the primary purposes of social engineering assessments.
Mounting an Assessment
A social engineering assessment is an essential asset in understanding people’s vulnerabilities that work in an organization. It is a complicated process because human error is difficult to anticipate compared to technical problems.
The primary task is to test the readiness of employees when they least expect it. Here are several methods to conduct social engineering assessments:
Pretext Phone Calls
Security professionals will attempt to target employees using telephone calls. They typically start by looking up information online such as phone numbers, job designations and vital names. These will be used in creating a “pretext” or a story you will tell the unsuspecting victim.
A common story is to get a consumer’s name and check if the employee will easily give sensitive information about the client while ignoring the correct security protocol.
The security professional has to think like an attacker to try to achieve this aim. Set a goal on what type of vital data that must be acquired. If the target is susceptible, the professional may escalate and get more information.
A way to finetune the approach is the use of a spoofed phone number. This has to contain the correct area code, with caller ID details provided. A phone number spoofing service is crucial for this undertaking. There are even voice changer apps available for download. Some popular spoofing tools include Spooftel, Spoof My Phone, or Spoofcard. Note that it is essential to do background research on these apps to guard against unwanted features.
Practice is essential to be a believable pretext phone caller. The goal is to test the target employees and not to fool them. It must be a learning experience for the employees.
The prevalence and success of phishing make it one of the most dangerous social engineering tactics. Several business tools are available to test and train against phishing. KnowBe4 enables security professionals to create their phishing tests with the help of customized emails. It also offers additional training from various experts in the field of security.
A barrage of phishing emails can be quickly sent using these security tools that use automation.
The goal is to assess how target employees will react when receiving these suspicious emails and text messages. Calls for action include convincing targets to do any of the following:
Visit malicious websites
- Reveal vital personal information
- Break security rules and regulation
This social engineering assessment tactic does not cost much to do. But it does require security professionals to be hands-on. This is a test that checks the compliance of employees when it comes to disposal regulations.
Dumpster diving is a sweep wherein the security professional will check the trash collection around the building to see if any of this garbage will unknowingly reveal vital information.
A system must be put in place to track trash and their corresponding department. This is vital for ensuring accountability should any information leaks happen because of irresponsible trash disposal.
The scrutiny of trash is essential because if there is any critical information that finds its way in the garbage bin, it can expose the company to possible attackers.
Examples of information that may find its way in the trash include the following:
- Hard drive details
- Social security numbers
- Shredded checks
- Flash drives
- Confidential client information
- Internal policies
The focus of the social engineering assessment is to provide a learning experience for the target employees. Think of it as a school examination. If it is announced, there is no way of gauging how ready the employee is or if there is still a need for further training.
As such, safety has to be guaranteed to protect the outcome of the social engineering assessment.
Even though the assessment has the company’s blessing, its activities may appear suspicious or threatening to people from an outsider perspective. The security professional must have the good judgment to determine if an assessment has gone out of bounds.
Target employees may experience fear and nervousness when confronted with social engineering tests. This is why contingencies and scenarios must be planned well by the security professional. They must also have sufficient credentials from the client organization, just in case they get confronted by target employees or law enforcers.
The Importance of Follow-up
As a learning experience, the social engineering assessment must establish contact with the target employees right after the test. This processing is essential to make sense of the security professional’s scenario and focus on the learnings that emerged from it.
A successful assessment will identify lapses and weaknesses involving human employees. The knowledge of these mistakes will be useful in planning for improvements.
Those who passed the assessment with flying colors and those who failed will learn lessons from experience. Those who overcame the test can share their presence of mind when presented with the problem. For those who had deficiencies, the follow-up can be an excellent opportunity to point out mistakes and improve them.
The point is to increase the organization’s overall defense and not scare the employees into hiding their lapses. If employees are not honest about their mistakes, it can compromise the company further.
The lines of communication should be open and the social engineering assessment should not alienate the target employees. The human resources of the organization should be the first line of defense and not an operational liability.
Prevention Is Key
Social engineering assessments are typically put in place to improve the awareness of employees. It is easier and more cost-efficient to prevent the damage of data breaches than respond to its adverse effects. Here are tips to avoid the threats of social engineering:
Avoid opening emails that come from strangers
- Multi-factor authentication
- Updated software against threats
- Research tempting offers
Expertise and Experience in Social Engineering Assessment
RSI Security understands the volatility and danger of social engineering assessment and how it continually evolves. To gain a tactical advantage against these threats, trust our team of experts to handle your company’s security program.
The strategy of RSI Security involves a comprehensive consultation about your business needs, compliance status and industry risks. Studying the existing systems of your company enables us to deploy solutions that are secure and efficient.
As an extension of the IT team, RSI Security will consistently check the social engineering assessment’s effectiveness and the security program in place. Trust our security services to align with your organization’s goals focusing on competence, cost optimization, and customer care.
Download Our Breach Response Checklist
Whether you’re in the midst of a breach or preparing a plan for the future – this checklist will give a good starting point for responding to a breach. Upon filling out this brief form you will receive the checklist via email.