Social Engineering
The human element of any Information Security Program is often one of the most unpredictable. Some of the most well thought out and robust security programs have been defeated by a threat piggybacking behind an employee, finding passwords in dumpsters, or by simply being let in.
CYBIEN’s Social Engineering Services are divided into two major branches:
- Onsite Social Engineering
- Remote Social Engineering.
Both of our Social Engineering services are designed to closely emulate the methods of real world attackers. We use an “objective oriented” methodology to design a unique plan of attack for every engagement. We start by thoroughly researching our client’s organization then determine the most likely targets of an attack on the organization based on our matrix of factors such as size, location, industry, etc… Next we map out the most likely data or asset targets, and develop a plan to capture those targets. We feel this approach offers our clients the added benefit of experiencing a more complex targeted attack, and still generally allows us to report on every control tested by a broader less complex engagement.
Sample of Onsite Social Engineering tested controls and attack vectors:
Employee Awareness
- Piggybacking
- Pose as new employee
- Pose as vendor
Disposal of Sensitive Data
- Dumpster Diving
- Shred / Trash Bins
Sensitive Area Security
- Lock Manipulation
- Keypad Bypass
- Badge or Key Theft
Security of Devices/Systems
- Secure Boot
- Unattended Logon
Optionally
- USB device drops
- RFID Badge Cloning
- Combine Remote Social Engineering
Sample of Remote Social Engineering attack vectors:
- Phishing Attempts
- Spear Phishing Attempts
- Spoofed Email
- Email containing remote access tool
- Phone Calls
- Redirection to spoofed link
We painstakingly engineer and re-engineer our plans until we feel we have them fully ironed out. However, in reality, no plan survives first contact with the adversary, so we ensure our team members are all well adept at adjusting on the fly. Rest assured, CYBIEN aims to provide the greatest value regardless of the circumstance.
Click HERE for more on Social Engineering form US-CERT.