Put your staff and physical security to the test. Identify where your vulnerabilities are and understand how these could be exploited.

 

What is a Social Engineering Penetration Test?

Social Engineering occurs when people are manipulated into carrying out specific actions or divulging information that is of use to an attacker. For example opening an infected email, plugging in a USB drive or letting a stranger into the building. 

A social engineering penetration test is multi-stage evaluation of your company’s human resilience to these kinds of attack. Using the same tools as an attacker, we probe your organisation's human firewall, that is your staff & contractors, to find out where your vulnerabilities lie.

Why have a social engineering penetration test?

Social engineering is the biggest cyber threat to company security.

The ICO recently issued a large fine to the Carphone Warehouse citing  “inadequate vulnerability testing & penetration testing” as one justification for the fine.

The GDPR requires you to provide evidence of your commitment to security - Our report can help with this evidence.

Your clients are becoming increasingly aware of cyber security & are impressed & reassured by companies that engage in external testing.

It helps you identify where to spend your security budget so you don’t waste money.

The Process

Pre-Engagement Meeting

The scope of the test is discussed & agreed. Terms of testing are drawn up & signed. All your questions are answered. You have an opportunity to design parts of the test

Threat modelling

We gather intelligence on your organisation & staff to help us develop our attack vectors. This can be online or physical recon visits to your site.

Attack

We launch the agreed attacks & collect results. We record the responses staff gave to the attacks and measure them against your organisation’s policies.

Report & debrief

We write up the report & then present it to you as part of a full debrief. We make recommendations to improve your security.

KEY ELEMENTS

Phishing

Email attacks can be easy to spot or sophisticated & targeted. Email is the biggest attack vector being used. Can your staff spot them?

We test employees against 2 levels of phishing attack (an easy one with lots of clues & mistakes & a harder to spot spear phishing attack). This tells us what level of security awareness your staff have.

You can decide whether to use links, attachments or the input of login credentials for the test.

We work with your I.T team to measure the click rate and the reporting rate coming back from your staff. Both are used to calculate the final score for this part of the test.

Vishing

Phone call attack to gather intelligence for another attack. Would your staff hand over valuable information over the phone?

Usually employed by attackers as a recon tool to gather sensitive information about your organisation before an attack is launched.

A log of the call is made and included in the final report.

Vishing can help test how well your staff follow policies & procedures.

The recon done during a vishing call often helps us set up our teams for the impersonation attacks later on in the test.

Impersonation

A physical attack to gain access to your business & data. Would your staff challenge someone following them through a locked door?

Our highly skilled team will develop “cover stories” to attempt to gain physical access to your building & ultimately your data, devices, servers or assets.

At no point is anything malicious or harmful introduced. If we can plug an empty USB stick into one of your servers that highlights a big problem for your security.

All our impersonation attacks will follow a recon visit to your site to establish entry protocols, security guard movements, cameras & layout for example. We will also conduct OSINT on key people and arrive with convincing “costumes” including badges and lanyards.

Baiting

We drop USB sticks at strategic points around your facility. Would one of your staff pick one up & plug it into a networked device?

Our team can drop USB sticks at strategic places to try and entice staff to pick them up and plug them in.  We can also post USB sticks to staff pretending to be free gifts or exclusive offers.  We would conduct detailed open source intelligence research into staff to send them a convincing but unsolicited offer we hope they would find suspicious.

Wi-Fi

Setting up a convincing access point to lure staff into connecting to it. Would you staff connect to a rogue access point?

Can we log into your wifi from the car park?

Can we set up a rogue wireless access point & get employees to connect to it?

The aim is to then capture traffic being sent by those devices.

Paper Records

Do your staff destroy paper records correctly or are they left in printer trays? Could we walk out with folders of information?

Do sensitive paper records always get shredded? Our team will be looking for unlocked filing cabinets, documents left on printers or copiers. We will even go through bins to find things of value.

Reconaissance

Would you spot people engaging in hostile recon? This can be a threat from an information security & counter terrorism perspective.

OSINT

What can we find out about you and your staff online? How would an attacker use this? Is your online footprint too large?

We collect & analyse Open Source Intelligence (OSINT) to mount a convincing attack.

Some of the sources we look at include:

• Corporate website & job adverts

• Document & photo metadata

• Reverse image searches

• Email addresses & enumeration

• Social media

• DNS records

• Geolocation data

Why choose us?

Subject matter experts speaking at events around the world on cyber security & social engineering.

With our background in the Police Cyber Crime Unit & UK Counter Terrorism Intelligence Services we understand the threat well.

We specialise in producing high quality reports that translate complicated technical concepts for a non-technical audience to understand.

We handle the entire process and are vendor neutral. Our priority is your security & nothing else.

Social Engineering Penetration Test FAQ

Who can I tell?

The fewer people who know about the test the better to keep it as real and accurate as possible. We will help you identify who may need to be “in on it”.

Will you fix our security for us?

No. The people who test your security shouldn’t be the people who fix it and visa versa. This separation of roles is crucial to ensure your systems are as secure as possible. We are vendor neutral but can help you find solutions for fixes.

How much input do I get?

Some clients would like to be involved in crafting some of the phishing emails or requesting certain departments to be tested. It is up to you how much input you have.