Social Engineering Assessments
It's time to test your organization's weakest link
Your organization might have the latest software & patches running, an expertly configured firewall, SQLi proof web applications, and end-to-end encryption for each and every packet going to or from your network. While you might be doing nearly every single thing right in regards to the hardening of your systems, security can only be as strong as the weakest link, which in most cases, are your users.
Remote / Electronic
A common theme among the highest profile breaches in recent history has involved the significant use of remote social engineering attacks via Phishing Emails and Vishing. Phishing emails have become more sophisticated with each passing day and have evolved far-beyond the all-to-obvious emails detailing your inheritance from a Nigerian prince...
A few questions you'll be able to answer after a remote social engineering assessment:
- Are your current email/spam filters effective at blocking malicious emails and attachments?
- Can we convince users to open/read emails, click on links within the emails, open attachments inside the emails, or hand over their credentials through a spoofed authentication portal?
- How effective is your current information security awareness training course? Does it serve as a simple "check-in-the-box" compliance for most users or has it resulted in positive and real-world behavioral changes?
On-Site / Internal
Think your physical facility, server room, internal network, and user workstations are secure? Put your company's security awareness and physical protections to the ultimate test through an onsite assessment by setting custom goals (or flags) on your most valuable internal assets and property. Security Illusion specializes in social engineering services and customizes our approach based on your unique requirements through our goal-oriented testing methodologies.
A few common things we check for during an Onsite Social Engineering Assessment, per the request of our clients:
The effectiveness of your physical security/access control
- Will your employees allow someone to enter without proper identification? Or even, can we persuade them to hold the door open for us?
- Are your current RFID badges susceptible to being trivially captured and cloned?
- If badges are indeed required (and actively enforced) for entry, will employees allow third-party individuals into the building if their disguise, pretext, and forged documents are convincing enough?
- Are exterior entrances (other than the main entrance) that employees use for smoke breaks, emergency exits, and parking garage exits properly secured and monitored?
Security of sensitive data locations
- Do employees keep their unattended desks clean of sensitive documents?
- Are passwords written down and 'hidden' under a keyboard, mousepad, or stuck in plain sight to their monitor?
- Are file cabinets that contain sensitive information under lock and key?
- Are shred bins locked and secured?
Dumpster Diving(Your trash could be our treasure...)
- Are your company's exterior dumpsters monitored and secured?
- Are employees throwing out sensitive documentation in the trash without properly discarding it via your shredding/document disposal policies?
- Do users lock their workstations when unattended?
- If a malicious USB drive were inserted by our consultants (or directly by one of your employees), would the custom-designed payload execute successfully or would your Antivirus, IPS/IDS, Firewall, or other protection adequately prevent the attack from completing?
Internal Network Security
- Can a malicious actor obtain a valid IP address from any exposed network jack in the office? If so, would they be placed in the same VLAN as internal users?
Custom-GoalsEvery organization is different. To make the most use of the assessment, companies often request custom goals to test for the things that are most important to their security bottom-line. While there are virtually no limits to the custom-goals we can satiate for your company, here are a few examples of custom-goal requests we've received in the past:
"Can Security Illusion..."
- "...enter our server room? We don't need anything plugged in, but simply gaining access to the server room is critical enough for us! Take a selfie in there and call it a day"
- "...gain access to our building after-hours without triggering the alarm or alerting the on-site security personnel?"
- "...find an empty cubicle and workstation and work from it as long as they can without getting discovered/kicked-out?"
- "...dress up like the garbage men and wheel the secured shred bins straight out of the facility?"
- "...steal laptops, workstations, or other valuable company property and walk out the front door with it without detection or arousing suspicion?"
Think you could benefit from our services?
Contact us today!