© 2020 Content Security Pty Ltd.
Social Engineering can be loosely defined as the art of exploiting human psychology. In cyber security, social engineering attacks focus on manipulating human trust as a means of gaining access to a victim organisation’s systems, data or buildings.
Techniques range from baiting employees into picking up malware-infected flash drives to targeted spear phishing emails. In fact, instead of searching for software vulnerabilities, a social engineer might simply call an employee and pose as an IT support person, successfully tricking the user into divulging system details or credentials.
Social engineering and physical intrusion tests highlight gaps in your users’ resilience by performing the same attacks that are likely to allow attackers in. Our expert ethical hackers simulate real-world attacks on your staff, assessing their knowledge and providing you with a benchmark for contextualised security awareness training.
Approximately 30% of breaches are due to internal employee errors. However, we can’t forget how the crucial role the human factor plays in malicious external attacks, like phishing and credential compromise.
Phishing involves an attacker sending fraudulent emails, claiming to be from a trusted and reputable source. These attacks are generally broad in scope and attempt to target as many individuals as possible. However, there are a few types of phishing that hone in on particular targets, like spear phishing or business email compromise (BEC).
These emails may contain ransomware disguised as a link or attachment or will lead you to a fake website to enter your credentials.
Learn more about our phishing tests.
While phishing is a primary email threat vector, attackers use similar techniques to manipulate your users over the phone and via text.
Vishing occurs when a cyber criminal attempts to trick a victim into verbally disclosing sensitive information or giving them access to company systems over the phone. Smishing incorporates the same trickery as phishing but over text message.
Learn more about our approach to vishing/smishing.
Physical security compromises remain the 5th most frequent attack vector, with tailgating and piggybacking as some of the most popular techniques.
A victim may be ‘tailgated’ by an attacker quickly sticking their foot in front of the office door. Moreover, naïve employees may be ‘piggybacked’ by unknowingly holding the door open for an attacker out of kindness.
Learn more about our physical security assessments.
Baiting appeals to victims’ curiosity by enticing them with a lure left in conspicuous areas where they are likely to see them. For example, this may be an authentic-looking USB dropped on your organisation’s premises containing ransomware. The victim then picks up the bait and inserts it into a work computer, thus infecting your network.
Baiting also exists in online forms, such as compelling ads that lead to malicious sites. Learn more about our USB drop approach.
Our phishing campaigns are designed to simulate the psychological manipulation of your staff. We test whether they are susceptible to disclosing your company’s sensitive information and if they’ll follow the instructions contained within our realistic phishing emails.
Using a refined phishing methodology, our expert ethical hackers will attempt to socially engineer your staff and obtain:
Our Security Assurance team help you determine the best phishing campaign for your organisation, based on your business requirements, industry profile and current threat landscape. This ensures you’re getting the most realistic idea of your staffs’ susceptibility and how they’d act in a real-world attack.
To truly cultivate a security awareness culture in your company, it’s important to test your user vigilance regularly. In addition to one-off email phishing tests, we’re able to run multiple campaigns across the year, testing your vulnerability to fake websites, CEO fraud, link manipulation and general email phishing attacks.
Once the campaign has concluded, the results will be collated and analysed by our team. User participation will be categorised and all findings will be placed within a report, suitable for your executive management team and other stakeholders’ perusal. Ultimately, the results can be used for more targeted security awareness training.
In a similar vein to our phishing campaigns, our vishing and smishing tests aim to persuade your employees into leaking confidential information. Using a sample of phone numbers provided by your organisation and an agreed upon background story, our team will target employees in HR, Sales, PR or help desk roles.
Our ethical hackers use a series of questions to coax sensitive information from your employees, including:
Our social engineers will work closely with your team to create a custom campaign involving a background story to coax information from employees and a list of questions to match. We help determine which scenario will best fit your personnel and craft highly realistic and successful vishing/smishing messaging around this story.
Once your team approves the campaign, we begin questioning. First, our team attempts to gain non-sensitive data. As the call continues, we progressively request data of increasing sensitivity, with the final stage involving asking users to perform computer-related tasks. All questioning will cease if your staff show signs of refusal or discomfort.
The report provided post-campaign details the testing results, explaining the campaign progress and what kinds of information we were able to extract from your users. Furthermore, we provide high level findings on the key effective and weak security practices adopted in your organisation, with actionable recommendations for improvement.
The Content Security black team will assess the effectiveness of any physical security controls in place and determine how possible it would be for an attacker to infiltrate your business’ physical location. Replicating a real-world attack as closely as possible, our team attempts to obtain sensitive company information, such as:
We follow actual intrusions as closely as possible. First, we conduct reconnaissance to gain a feel for the physical environment and flow of staff. Second, we begin infiltration, attempting to gain entry to secure areas via social engineering. Third, we attempt a visual compromise, followed by a technological compromise and exfiltration.
One of the primary benefits of this physical security assessment is unveiling unknown security vulnerabilities and the potential risks associated with them. For example, we uncover physical gaps in security such as electronic doors that are easily bypassed, network jacks in public areas, intact company information rubbish bins, etc.
Once the test is concluded, we provide actionable recommendations to help improve your physical security controls and social engineering measures. Our reports cover the detailed steps, methods and pretexts used during the intrusion, as well as evidence of security risks and a process to mitigate these going forward.
During a USB Drop campaign, several USB devices are left unattended at specific locations where a relatively high volume of people are present. For example, this could be an office parking lot, café or elevator.
Ultimately, this testing helps determine whether end users are aware and adhering to information security policies and procedures. These tests help to:
Assessing your users’ vulnerability to these attacks is the first step to minimising the chances of USB drops leading to successful compromises. This exercise will assist in making users aware of how malicious USB devices can cause system infections and data loss, and furthermore, teach them how to avoid these threats.
We work closely with your team to build an enticing scenario around each USB drop. Firstly, we determine how many USB devices will be left on your premises and secondly, where the best locations are to do so. Prime locations typically have a lot of foot traffic and therefore, the USB will likely be picked up and inserted into a company computer.
The USB drives used throughout the campaign will contain a program that allows our consultant access to the affected user’s computer. All findings collected during the campaign will be detailed in the report provided at the end of the engagement. These will assist you in determining who is following company security policies and whether they need more security awareness training.
Our social engineering can fully support Information Security Awareness Training by providing a base to work on and by validating that the training is effective. We also provide training programs to teach your staff on cyber resilience.