Social engineering is the act of tricking someone into divulging confidential or personal information, usually through technology, that may be used by or sold on to criminals to commit fraudulent activity. It is thought by many to be a dark art, but over recent years we are seeing social engineering attacks overtake technical hacks.
Criminals are using social engineering to take advantage of the victim’s natural tendencies and emotional reactions; assuming you have a strong password, it would be much easier to fool someone to give you this rather than hacking the passwords.
Some elements of social engineering are now an essential part of a full penetration test, adding in elements to test the human weaknesses often referred to as the “Human Network”.
We have designed 3 testing elements which can be run as stand-alone tests or added to your next penetration test.
Targeted Phishing Attack
Targeted phishing (or spear-phishing) is the practice of sending targeted emails, pretending to be from a company the recipient knows well, in order to persuade the individual to reveal information. This information could be passwords and credit card numbers or getting the recipient to unintentionally install malicious software on their device.
Targeted phishing has become a daily threat to corporate security and is one of the fastest growing causes of data loss and breaches. Targeted phishing attacks are often successful because they focus on the organisation's weakest link - their employees.
Focus should be on training to ensure staff are forearmed and forewarned of the potential types of attack they may see, and the potential impact of being caught by such attack.
Once you believe you have sufficiently trained your staff, then the next step is testing. This is where our Managed Social Engineering service comes in.
Our managed service involves undertaking a series of social engineering exploits, directing users back to training when needed, as part of your ongoing Cyber Security Awareness programme.
We have our own preferred training partners who we can work with or integrate our service into your internal processes to get best value out of your existing solution.
Costs start at £1,600 for up to 30 targets, and £2,000 for 30>100 targets.
Onsite Access Test
How secure are your premises?
The best security mechanisms can be undermined by poorly trained staff practices. This may include leaving the door to a secure area propped open or helping someone with boxes through a locked door, enabling the un-checked entrant free rein to take what they wish or access to your systems without your knowledge or control.
To address this issue, security awareness programmes provide the best return on investment and help maintain the highest levels of security.
Our onsite access test focuses on non-IT security controls, staff and services by testing the effectiveness of your controls.
A report is created to show your current level of resilience to malicious social engineering attacks. The report will give clear advice and guidance on onsite security improvements.
Costs start at £1,800 (up to 2 sites).
Black Box Test
Opportunistic attackers may not spend time profiling your organisation in order to create a targeted attack plan.
We can replicate this by way of an attack with zero knowledge of your business but with one aim – to gain access to your data/systems without the use of technical testing using non-destructive means only.
Costs start at £3,000 for one entire test for 1 geographical site £4,000 for 2-3 sites.