The term “social engineering” has been used for years by hackers to describe the technique of using persuasion or deception to gain access to information systems. Such access is typically implemented through human conversation or other interaction. The medium of choice is usually the telephone, but it can also be communicated via an email message, a television commercial, or countless other mediums for provoking human reaction. Consider a floppy drive or CD labeled “Payroll” and left in a hallway or restroom within an organization. On the media is malicious code. Would anyone in the organization insert this media into their computer and access the contents?
Foundstone performs the type of social engineering most appropriate for your organization. Our methodology mirrors our approach to security assessments. We begin with target identification and information gathering, followed by exploitation attempts. We systematically apply these principles in a customized approach that depends on the objectives of the particular situation.
We work closely with our client to define the test scenarios. The test scenarios are tailored to specific policies and processes within their organization. Some organizations may have incident response procedures in place to report suspicious phone calls. Foundstone can test these procedures by making obvious attempts at gaining confidential information without proper authorization. This is an excellent way to test the effectiveness of a security awareness training program or lay the foundation for creating such an awareness program.
Three common attack vectors identified include:
Regardless of what type of social engineering testing is performed, upon completion we will provide a detailed report about the policies tested and the results of each attempted breach.