Social Engineering Security Review

By Author: Secureapplication
Total Articles: 4
Comment this article

Social Engineering Security Review
Challenge
Social engineering is defined as using the human element to obtain access to sensitive or confidential information about an organization, its customers, or employees. Social engineering is used to gain access to information via telephone conversations, malicious emails, or by physically entering an office building. However, the greatest damage occurs when a hacker or other malicious source tries to infiltrate a network by manipulating the human element to obtain system credentials. If successful, even the most secure systems are at risk - allowing a hacker or malicious user to do things like steal money or gain access to credit card and/or proprietary client information. The results can be catastrophic, costing a company hundreds of thousands of dollars in fines and untold damages to its reputation.

Solution
The goal of Secure Application's Social Engineering Security Review is to determine whether our security consultants can obtain access to confidential or sensitive business information through conventional and unconventional tactics generally used by malicious ...
... sources. For example, a Secure Application consultant may impersonate an employee or delivery person in order to bypass physical security controls and gain access to your facilities. An attacker may also impersonate an employee and attempt to get system credentials for access to your networked systems, call the Help Desk and pretend to have forgotten their password, or attempt a spearphishing attack.

The result of this assessment is a clear understanding of your employees' awareness, knowledge, and adherence to security policy. Secure Application will identify where you are vulnerable and your level of exposure, and will recommend the appropriate safeguards, updates to security policy, and employee education needed to counteract the threats of social engineering.

Benefits
Minimizes theft or misuse of data
Reduces the risk of regulatory non-compliance
Mitigates risk by identifying vulnerabilities before they are exploited by an attacker
Helps to ensure the confidentiality, integrity, and availability of information assets
Proven methodology that ensures quality, accuracy, and thoroughness of your assessment
The Social Engineering Security Review determines whether Secure Application consultants can obtain access to your corporate information or internal resources by attempting to bypass physical or socially enforced security controls. The review results provide a clear understanding of the security awareness and knowledge among employees, as well as overall adherence to policy.

TSecure Application's Social Engineering Security Review involves multiple social engineering scenarios and can be carried out during normal business hours or during non-business hours.

Social engineering scenarios can include one or more of the following:

Bypass physical security controls and gain entry to location(s) without access badge
Photocopy or take pictures of any sensitive information
Send e-mail from unattended Mobile Device (Blackberry/Treo)
Send e-mail from unattended, unlocked computer
Leave USB key drives at strategic public locations that contain hidden embedded "phone home" software that will provide information on the client's IT infrastructure
Send "phishing" e-mails to solicit potentially sensitive information and/or IT infrastructure information from the employees or gain access to computing systems
Attempt to change employee's access credentials (impersonating a current employee, Secure Application will attempt to change the employee's password by calling the IT Admin/Support number)
Attempt to install a rogue wireless access point within the client's location(s) to provide network access without requiring physical access to the building
Obtain sensitive information via shoulder-surfing and eavesdropping
Impersonate service vendors (document delivery, tape backup collection, etc.) to obtain potentially sensitive information (documents, tape backups, etc.)