Put your staff and physical security to the test. Identify where your vulnerabilities are and understand how these could be exploited.
What is a Social Engineering Penetration Test?
Social Engineering occurs when people are manipulated into carrying out specific actions or divulging information that is of use to an attacker. For example opening an infected email, plugging in a USB drive or letting a stranger into the building.
A social engineering penetration test is multi-stage evaluation of your company’s human resilience to these kinds of attack. Using the same tools as an attacker, we probe your organisation's human firewall, that is your staff & contractors, to find out where your vulnerabilities lie.
Why have a social engineering penetration test?
Email attacks can be easy to spot or sophisticated & targeted. Email is the biggest attack vector being used. Can your staff spot them?
We test employees against 2 levels of phishing attack (an easy one with lots of clues & mistakes & a harder to spot spear phishing attack). This tells us what level of security awareness your staff have.
You can decide whether to use links, attachments or the input of login credentials for the test.
We work with your I.T team to measure the click rate and the reporting rate coming back from your staff. Both are used to calculate the final score for this part of the test.
Phone call attack to gather intelligence for another attack. Would your staff hand over valuable information over the phone?
Usually employed by attackers as a recon tool to gather sensitive information about your organisation before an attack is launched.
A log of the call is made and included in the final report.
Vishing can help test how well your staff follow policies & procedures.
The recon done during a vishing call often helps us set up our teams for the impersonation attacks later on in the test.
A physical attack to gain access to your business & data. Would your staff challenge someone following them through a locked door?
Our highly skilled team will develop “cover stories” to attempt to gain physical access to your building & ultimately your data, devices, servers or assets.
At no point is anything malicious or harmful introduced. If we can plug an empty USB stick into one of your servers that highlights a big problem for your security.
All our impersonation attacks will follow a recon visit to your site to establish entry protocols, security guard movements, cameras & layout for example. We will also conduct OSINT on key people and arrive with convincing “costumes” including badges and lanyards.
We drop USB sticks at strategic points around your facility. Would one of your staff pick one up & plug it into a networked device?
Our team can drop USB sticks at strategic places to try and entice staff to pick them up and plug them in. We can also post USB sticks to staff pretending to be free gifts or exclusive offers. We would conduct detailed open source intelligence research into staff to send them a convincing but unsolicited offer we hope they would find suspicious.
Setting up a convincing access point to lure staff into connecting to it. Would you staff connect to a rogue access point?
Can we log into your wifi from the car park?
Can we set up a rogue wireless access point & get employees to connect to it?
The aim is to then capture traffic being sent by those devices.
Do your staff destroy paper records correctly or are they left in printer trays? Could we walk out with folders of information?
Do sensitive paper records always get shredded? Our team will be looking for unlocked filing cabinets, documents left on printers or copiers. We will even go through bins to find things of value.
Would you spot people engaging in hostile recon? This can be a threat from an information security & counter terrorism perspective.
What can we find out about you and your staff online? How would an attacker use this? Is your online footprint too large?
We collect & analyse Open Source Intelligence (OSINT) to mount a convincing attack.
Some of the sources we look at include:
• Corporate website & job adverts
• Document & photo metadata
• Reverse image searches
• Email addresses & enumeration
• Social media
• DNS records
• Geolocation data
Social Engineering Penetration Test FAQ
Who can I tell?
The fewer people who know about the test the better to keep it as real and accurate as possible. We will help you identify who may need to be “in on it”.
Will you fix our security for us?
No. The people who test your security shouldn’t be the people who fix it and visa versa. This separation of roles is crucial to ensure your systems are as secure as possible. We are vendor neutral but can help you find solutions for fixes.
How much input do I get?