Social engineering, in the context of information security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. The difference to a real attack is the fact, that testing is done with the explicit written consent of the client and the purpose is to produce a comprehensive report and to close down security holes, before a real attacker can exploit them.
In 90% of all tests, we managed to obtain sensitive information employing social engineering techniques.
Why Social Engineering?
- Does the best IT Security really help, if employees happily give out sensitive information?
- Do employees click on links if they seem to get an email from a co-worker / manager?
- Can employees be tricked over the phone when an attacker impersonates law enforcement?
- Is the physical security weak? Can attackers dumpster dive? Is tailgating possible?
- Are non-technical users not even aware or educated around Social Engineering threats?
Who should be Social Engineering tested?
- Businesses who use IT systems of any kind, hold confidential data or customer information
- Businesses who don’t want lawsuits from clients, when data has been stolen
- Businesses who have fallen victim to an attack and don’t want to wait for the next attack
- Businesses who must comply to Industrial and/or Government Compliance regulations
- Businesses who have heard that competitors already had to face a Cyber attack
- Businesses who understand that pro-active security is a lot cheaper than re-active security
Social Engineering Audit Services
During a Social Engineering Audit, we can perform tests electronically (computer based) and phone based. We gather a lot of open source information prior to any engagement through online information gathering. We also impersonate sources of authority and use a variety of techniques such as:
- Spear Phishing Email campaigns which contain sending crafted emails which seem to come from a superior and get the user to click a link and/or provide confidential information. We also get employees to visit fake websites, which simulate infecting their machines or are used to "phish" credentials.
- Spear Phishing in conjunction with the simulated exploitation of the endpoint (optional)
- Phone based social engineering incl. Caller ID and SMS spoofing along with Vishing exercises (Voice Phishing)
- We can perform social engineering tasks whereby special USB devices with simulated malware are being distributed to track who plugs them in.
- Our services also contain continuous e-learning user education.
- All services come with most comprehensive reporting, user tracking and classification.
How often should a Social Engineer Test be done?
A full audit should at least be done 2 – 4 times per year and the results should flow into a company Security Policy. We recommend regular user education, which we also provide.
How is the Service charged?
We charge based on the number employees to be tested. Please contact us and we will provide you with a free consultation call.
Please fill in the following information and a Fast Lane representative will contact you soon.