© 2020 Content Security Pty Ltd.

offensive security services

Social Engineering, Physical Intrusion & Phishing

90% of security attacks are due to human error. Highlighting the gaps in your user security layer is one of the quickest wins when it comes to your organisations cyber resilience.

It’s a known fact - users are the weakest link in securing your organisation

What is social engineering?

Social Engineering can be loosely defined as the art of exploiting human psychology. In cyber security, social engineering attacks focus on manipulating human trust as a means of gaining access to a victim organisation’s systems, data or buildings.

Techniques range from baiting employees into picking up malware-infected flash drives to targeted spear phishing emails. In fact, instead of searching for software vulnerabilities, a social engineer might simply call an employee and pose as an IT support person, successfully tricking the user into divulging system details or credentials.

Without knowing what to look for and how to protect against these attacks, your users are essentially open doors into your organisation

Social engineering and physical intrusion tests highlight gaps in your users’ resilience by performing the same attacks that are likely to allow attackers in. Our expert ethical hackers simulate real-world attacks on your staff, assessing their knowledge and providing you with a benchmark for contextualised security awareness training.

30%

Human error is a major source of all data breaches

Approximately 30% of breaches are due to internal employee errors. However, we can’t forget how the crucial role the human factor plays in malicious external attacks, like phishing and credential compromise.

Social engineering is the fourth costliest attack vector, with breaches averaging $4.47 million

Cyber criminals are taking advantage of human defences now more than ever - it's time to act with increased vigilance

Social engineering continues to yield great results for cyber attackers, so it’s no wonder why these attacks are on the rise. Rapid changes in the work environment have made it increasingly difficult to protect employees and monitor their behaviours. In addition, these attacks require a minimal amount of technical expertise to conduct successfully.Hackers will continue to find great success in psychologically manipulating users, subsequently compromising credentials, injecting ransomware and siphoning funds if these gaps aren’t addressed.

Social engineering is a multifarious practice - it comes in many shapes and forms

In order to protect your organisation, your users must be able to identify these types of attacks

Phishing involves an attacker sending fraudulent emails, claiming to be from a trusted and reputable source. These attacks are generally broad in scope and attempt to target as many individuals as possible. However, there are a few types of phishing  that hone in on particular targets, like spear phishing or business email compromise (BEC).

These emails may contain ransomware disguised as a link or attachment or will lead you to a fake website to enter your credentials. 

Learn more about our phishing tests.

While phishing is a primary email threat vector, attackers use similar techniques to manipulate your users over the phone and via text.

Vishing occurs when a cyber criminal attempts to trick a victim into verbally disclosing sensitive information or giving them access to company systems over the phone. Smishing incorporates the same trickery as phishing but over text message.

Learn more about our approach to vishing/smishing.

Physical security compromises remain the 5th most frequent attack vector, with tailgating and piggybacking  as some of the most popular techniques.

A victim may be ‘tailgated’ by an attacker quickly sticking their foot in front of the office door. Moreover, naïve employees may be ‘piggybacked’ by unknowingly holding the door open for an attacker out of kindness.

Learn more about our physical security assessments.

Baiting appeals to victims’ curiosity by enticing them with a lure left in conspicuous areas where they are likely to see them. For example, this may be an authentic-looking USB dropped on your organisation’s premises containing ransomware. The victim then picks up the bait and inserts it into a work computer, thus infecting your network. 

Baiting also exists in online forms, such as compelling ads that lead to malicious sites. Learn more about our USB drop approach.

social engineering

Phishing Campaigns

Simulating real phishing emails to determine how your users respond

Our phishing campaigns are designed to simulate the psychological manipulation of your staff. We test whether they are susceptible to disclosing your company’s sensitive information and if they’ll follow the instructions contained within our realistic phishing emails.

Using a refined phishing methodology, our expert ethical hackers will attempt to socially engineer your staff and obtain:

  • Credentials;
  • Network information such as domain name and IP address;
  • Operating

Successful phishing attacks are some of the leading causes of data loss, ransomware and credential compromise

Gain insight on employee awareness without the real-world risk

Improve security behaviours in a meaningful, efficient way

Customise campaigns to your business profile

Our Security Assurance team help you determine the best phishing campaign for your organisation, based on your business requirements, industry profile and current threat landscape. This ensures you’re getting the most realistic idea of your staffs’ susceptibility and how they’d act in a real-world attack.

Launch numerous campaigns for regular testing

To truly cultivate a security awareness culture in your company, it’s important to test your user vigilance regularly. In addition to one-off email phishing tests, we’re able to run multiple campaigns across the year, testing your vulnerability to fake websites, CEO fraud, link manipulation and general email phishing attacks.

Tailored reporting for more targeted training

Once the campaign has concluded, the results will be collated and analysed by our team. User participation will be categorised and all findings will be placed within a report, suitable for your executive management team and other stakeholders’ perusal. Ultimately, the results can be used for more targeted security awareness training.

social engineering

Vishing and Smishing

Ensure your users aren't disclosing sensitive company information over the phone

In a similar vein to our phishing campaigns, our vishing and smishing tests aim to persuade your employees into leaking confidential information. Using a sample of phone numbers provided by your organisation and an agreed upon background story, our team will  target employees in HR, Sales, PR or help desk roles.

Our ethical hackers use a series of questions to coax sensitive information from your employees, including:

  • User credentials;
  • Common software used by personnel; and 
  • Other sensitive information that could aid in further exploitation.

Test user susceptibility to genuine phone-scammers

With campaigns ranging from telemarketing to IT support scams

A range of fully customisable templates

Our social engineers will work closely with your team to create a custom campaign involving a background story to coax information from employees and a list of questions to match. We help determine which scenario will best fit your personnel and craft highly realistic and successful vishing/smishing messaging around this story.

Targeted questioning & real-world persuasion tactics

Once your team approves the campaign, we begin questioning. First, our team attempts to gain non-sensitive data. As the call continues, we progressively request data of increasing sensitivity, with the final stage involving asking users to perform computer-related tasks. All questioning will cease if your staff show signs of refusal or discomfort.

Detailed reports for effective improvements

The report provided post-campaign details the testing results, explaining the campaign progress and what kinds of information we were able to extract from your users. Furthermore, we provide high level findings on the key effective and weak security practices adopted in your organisation, with actionable recommendations for improvement.

Physical Intrusion

Validate the efficacy of your physical security controls

The Content Security black team will assess the effectiveness of any physical security controls in place and determine how possible it would be for an attacker to infiltrate your business’ physical location. Replicating a real-world attack as closely as possible, our team attempts to obtain sensitive company information, such as:

  • Blueprint;
  • Intellectual Property; and 
  • Any other paper documents of interest.

Physical security compromises are the 5th most frequent attack vector, with breaches costing approximately $3.54 million

Put your physical security controls to the test

Breaches caused by physical security compromises take an average of 292 days to identify

Realistic physical intrusions without the risk

We follow actual intrusions as closely as possible. First, we conduct reconnaissance to gain a feel for the physical environment and flow of staff. Second, we begin infiltration, attempting to gain entry to secure areas via social engineering. Third, we attempt a visual compromise, followed by a technological compromise and exfiltration.

Expose weak physical barriers and associated dangers

One of the primary benefits of this physical security assessment is unveiling unknown security vulnerabilities and the potential risks associated with them. For example, we uncover physical gaps in security such as electronic doors that are easily bypassed, network jacks in public areas, intact company information rubbish bins, etc.

Detailed deliverables to assist in uplifting your security posture

Once the test is concluded, we provide actionable recommendations to help improve your physical security controls and social engineering measures. Our reports cover the detailed steps, methods and pretexts used during the intrusion, as well as evidence of security risks and a process to mitigate these going forward.

social engineering

Baiting and USB Drop

Find out if your employees will take the bait

During a USB Drop campaign, several USB devices are left unattended at specific locations where a relatively high volume of people are present. For example, this could be an office parking lot, café or elevator.

Ultimately, this testing helps determine whether end users are aware and adhering to information security policies and procedures. These tests help to:

  • Determine the effectiveness of your existing security training; and;
  • Identify employees who require further training. 

Help your employees counteract their curiosity

Get actionable insight on how vulnerable you are to USB drop attacks and baiting

Proactively mitigate USB and baiting risks

Assessing your users’ vulnerability to these attacks is the first step to minimising the chances of USB drops leading to successful compromises. This exercise will assist in making users aware of how malicious USB devices can cause system infections and data loss, and furthermore, teach them how to avoid these threats.

Test users across multiple sites and locations

We work closely with your team to build an enticing scenario around each USB drop. Firstly, we determine how many USB devices will be left on your premises and secondly, where the best locations are to do so. Prime locations typically have a lot of foot traffic and therefore, the USB will likely be picked up and inserted into a company computer.

Collated results for enforcement of company policy

The USB drives used throughout the campaign will contain a program that allows our consultant access to the affected user’s computer. All findings collected during the campaign will be detailed in the report provided at the end of the engagement. These will assist you in determining who is following company security policies and whether they need more security awareness training.

Run social engineering tests alongside your security awareness training to determine its efficacy

As your partner in all things cyber security, we can conduct both social engineering and ISAT

Our social engineering can fully support Information Security Awareness Training by providing a base to work on and by validating that the training is effective. We also provide training programs to teach your staff on cyber resilience.

For more information please contact our cybersecurity professionals today.