Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to aconfidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.
“Social engineering” as an act of psychological manipulation had previously been associated with the social sciences, but its usage has caught on among computer professionals.
Social engineering exploits the altruistic human behaviour with goal to disrupt the internal environment of the organization or obtain sensitive and confidential information using psychological games, manipulation or even threats.
Do you need social engineering tests?
The motivation for the realization social engineering attack may be various, for example financial gain, personal interests or intentional damage, and because a social engineer uses the natural tendency of individuals to believe and trust, this attack can be realized even by an attacker who does not have a deep technical knowledge. That is a reason why it is necessary to realize social engineering together with IT infrastructure and web application assessment. The social engineering analysis can even reveal such security weaknesses that classical technical penetration testing cannot.
Process of social engineering test
Minimum length of social engineering test is 5 days:
|Length of Test||5 days||6-7 days||8-10 days|
|Techniques and Methods||
During testing various social-technical tricks such as spoofing e-mail messages, spoofing Caller-ID or Sender-ID in SMS messages, impersonating as a new employee or other psychological aspects of acting on the victim are used. The social engineering tests can be divided into the below-mentioned methods and techniques.
The final report and evaluation
All revealed security incidents, insecure behaviour or obtained sensitive information are recorded and described comprehensively in the final report.
Description of the social engineering techniques used during testing
Passive social engineering is a phase of the collection and analysis of the following information:
- review of published information about tested organization
- analysis and extracting of all informations about vulnerabilities found in testing IT infrastructure
Goal: To gain any information or knowledge that can improve sophistication of social engineering attacks
Simulation of phishing is a phase that targets random or selected groups of employees and a specially crafted e-mail message (with malware or link to XSS vulnerability) is sent to this group
Goal: Using phishing attack to force employees to click on the spoofed link in order to introduce malware and gain control over their PC, or to force employees to visit a fake domain and obtain any kind of sensitive information from them
Obtaining sensitive and confidential information is performed using the following techniques:
- using telephone or SMS (with spoofed caller ID) to contact random or selected employees of the tested company
- using social networks, IM or VoIP communications to contact random or selected employees of the tested company
Goal: To obtain a sensitive information that can be easily misused (for example knowledge of the employee’s hierarchy, used infrastructure and software methods, information about technical support or to gaining passwords to employees’ mailboxes). To persuade the employees to do any decision in favor of the success of the social engineering test.
Active social engineering that involves:
- physical infiltration to the organization building where it is possible to interact with the other employees of the tested company
- test with a portable media (USB flash, DVDs, CDs) that become easily accessible to all employess of the tested organization
- trashdiving / dumpster diving
Goal: To gain full access and control over their PCs infected by malware, in case of physical infiltration to reveal as much as possible sensitive and confidential information from different locations of the building (on the table, in trash, etc.) or to gain full access to the intranet network with the plugged social engineer’s special device.