Social Engineering Security Review

Challenge

Social engineering is defined as using the human element to obtain access to sensitive or confidential information about an organization, its customers, or employees. Social engineering is used to gain access to information via telephone conversations, malicious emails, or by physically entering an office building. However, the greatest damage occurs when a hacker or other malicious source tries to infiltrate a network by manipulating the human element to obtain system credentials. If successful, even the most secure systems are at risk - allowing a hacker or malicious user to do things like steal money or gain access to credit card and/or proprietary client information. The results can be catastrophic, costing a company hundreds of thousands of dollars in fines and untold damages to its reputation.

Solution

The goal of Secure Application's Social Engineering Security Review is to determine whether our security consultants can obtain access to confidential or sensitive business information through conventional and unconventional tactics generally used by malicious sources. For example, a Secure Application consultant may impersonate an employee or delivery person in order to bypass physical security controls and gain access to your facilities. An attacker may also impersonate an employee and attempt to get system credentials for access to your networked systems, call the Help Desk and pretend to have forgotten their password, or attempt a spearphishing attack.

The result of this assessment is a clear understanding of your employees' awareness, knowledge, and adherence to security policy. Secure Application will identify where you are vulnerable and your level of exposure, and will recommend the appropriate safeguards, updates to security policy, and employee education needed to counteract the threats of social engineering.

Benefits

• Minimizes theft or misuse of data
• Reduces the risk of regulatory non-compliance
• Mitigates risk by identifying vulnerabilities before they are exploited by an attacker
• Helps to ensure the confidentiality, integrity, and availability of information assets
• Proven methodology that ensures quality, accuracy, and thoroughness of your assessment

The Social Engineering Security Review determines whether Secure Application consultants can obtain access to your corporate information or internal resources by attempting to bypass physical or socially enforced security controls. The review results provide a clear understanding of the security awareness and knowledge among employees, as well as overall adherence to policy.

TSecure Application's Social Engineering Security Review involves multiple social engineering scenarios and can be carried out during normal business hours or during non-business hours.

Social engineering scenarios can include one or more of the following:

• Bypass physical security controls and gain entry to location(s) without access badge
• Photocopy or take pictures of any sensitive information
• Send e-mail from unattended Mobile Device (Blackberry/Treo)
• Send e-mail from unattended, unlocked computer
• Leave USB key drives at strategic public locations that contain hidden embedded "phone home" software that will provide information on the client's IT infrastructure
• Send "phishing" e-mails to solicit potentially sensitive information and/or IT infrastructure information from the employees or gain access to computing systems
• Attempt to change employee's access credentials (impersonating a current employee, Secure Application will attempt to change the employee's password by calling the IT Admin/Support number)
• Attempt to install a rogue wireless access point within the client's location(s) to provide network access without requiring physical access to the building
• Obtain sensitive information via shoulder-surfing and eavesdropping
• Impersonate service vendors (document delivery, tape backup collection, etc.) to obtain potentially sensitive information (documents, tape backups, etc.)