11% of all attacks in 2011 employed social engineering tactics according to Verizon's latest Data Breach Investigations report. These types of attacks can appear in many forms and include phone calls to key personnel, phishing emails, and baiting with physical media loaded with Trojan Horse programs. Surveys have found that 90% of office workers give up their password in answer to a survey question in exchange for a cheap pen or some chocolate.
Network Security Group has been involved in many social engineering exercises to assess clients' defences against these types of attack. We have has significant success with our social engineering attack simulations which have helped to highlight the risks to clients who can then implement defensive strategies based on our advice.
Crafted Email Phising Social Engineering Exrcise
Social engineering email phishing attacks have been shown to be a very powerful weapon in cyber warfare. With targeted and convincing payloads, users will give up practically any information requested. Our email phishing simulations usually focus on collecting live user credentials and gaining access to users' email accounts and into the corporate network. Over the years, we have honed our techniques and our success rate is very high.
Trojaned USB Stick Social Engineering Exercise
Our Trojaned USB exercise records incidents where users insert and execute enticing content on USB sticks (with a harmless payload) scattered throughout a workplace or in nearby locations. Research has shown that this could be a very effective way for an attacker to gain access to the internal network and escalate his/her privileges.
Information Extraction and Targeted Phone Calls Exercise
Many attacks have been recorded where the attacker first gathers information about a particular company and uses this information as leverage to gain access to network resources or disclose sensitive information. Based on the gathered information, the attacker then makes targeted phone calls to entice employees to disclose access credentials. Reaction aims to simulate these types of attack in our targeted phone calls exercise so that an assessment of the client's defences can be made. Calls will be made to individuals within the client (including the helpdesk and other critical personnel) and attempts will be made to entice the employee to disclose sensitive information.
Physical Security Testing
In this exercise, Network Security Group will attempt to gain access to the client's building. Once inside, our physical security consultants will then attempt to gain access to sensitive information and/or the server room. Our physical social engineering testing methodology covers the following areas:
- Simulating the activities of an intruder accessing onsite network
- Attempting to gain access without being detected or challenged for ID
- Gaining a realistic picture of the site security posture
- Test physical security procedures and user awareness
- Remote and onsite reconnaissance
- Visual display of security presence
- Detailed report and walk through