Measure Employee Security Awareness!
What is Social Engineering?
Social engineering attempts to trick employees into disclosing confidential information.
What is the Value of Social Engineering?
- Measure personnel's security awareness
- Identifies areas of risk for a common vector of confidential information disclosure
- Training — the results from these tests tend to be widely discussed throughout an organization — education is the best defense against social engineering
- Assists in helping your organization avoid social engineering hacks and fraud
This service is invaluable in helping identify vulnerabilities, and is an excellent way to educate employees and management on the best ways to thwart such attempts to breach your confidential information. Social engineering identifies where corporate training must be strengthened and where employees stray too far from secure procedures in their attempts to provide customer service and be helpful.
How Does it Work?
Social engineering involves multiple vectors of attack: telephone, email (targeted or spam), a spoofed (fake) website, or even an on-site visit. On-site social engineering involves either an attempt to access restricted areas of a building, dropping USB thumb drives and/or other portable media that have been loaded with our special testing software.
There are Various Social Engineering Attack Vectors that Redspin Can Test:
 |
 |
 |
 |
 |
External (the basics):
Identification of system assets, data and network components.
- Email Message: Users are engaged remotely via email messages (some call this ethical phishing) and requested to perform an action and/or provide information that would otherwise be used by an attacker to gain network access.
- Portable Media: Users are engaged remotely via the telephone and are requested to perform an action that is inherently compromising to network security such as changing a password to one known to the caller.
|
 |
On-Site (customized):
- Physical Access: Employees are engaged on-site to test physical access control and information disclosure.
- Portable Media: Memory sticks, thumb drives, USB drives or other such devices are distributed anonymously and employees are tested relative to policy and practice.
|
|
 |
 |
 |
 |
|
There are Various Social Engineering Attack Vectors that Redspin Can Test:
The statistics below are based on Redspin's social engineering testing and give an idea of the extent of the risk.
|
Rates |
Email |
Phone |
Employee Failure Rate:
(Percentage of employees who provided confidential information)
|
22%
|
53%
|
Organization Failure Rates:
(at least one employee failed)
|
94%
|
72%
|
Real-World Stories
Below are Real-World Outcomes of Social Engineering Testing:
- While doing a social engineering audit at a bank, a Redspin engineer got a hold of "Jane". Jane was very friendly. Our engineer got her to help out "Joe, the IT guy" on the phone by changing her password to one that he chose. Then customer-friendly-Jane offered, "As long as I'm here, would you like me to change the password on all the other workstations?" How could we refuse?
- We were doing a social engineering audit for a customer and called the fourth person on our list. As soon as our engineer started in on his script — "Hi, I'm working with Jack over in IT, and..." — the person on the other end of the line said, "Is this a social engineering call?" and hung up on us. This is exactly what we hope to see!
- While doing an email social engineering test we sent a link to a new web-based email system supposedly set up by IT. It was really just a malicous page that was designed to steal user credentials. We felt badly when we got the following response back from an employee:
"You ROCK!!!!!!!!
Thank you!!! I've been asking for this for years!!!!
:)"
Prevent confidential data disclosure!
Contact Redspin today!
|
Social Engineering
