Social engineering testing

All forms of social engineering concentrate on how human behaviour has an effect on the security of your orgnisation. Here we discuss the two main types, how they are performed and why they are useful.

Digital vs physical social engineering

Examples of physical social engineering could include: being let through reception without being greeted by a member of staff; or having someone hold open the back door for you as they go out to smoke. Once inside the attacker could install a rogue device onto the network ready for further attacks.

Digital social engineering tests could include performing a semi-targeted email phishing campaign where all members of staff are sent messages for them to click on a link; or a very targeted spear-phishing campaign where you build up a rapport with individuals and get them to open links to malicious web sites, or open malicious documents they have been emailed.

The point of Social Engineering Tests

These two types of work are where the people at the organisation are put to the test. Instead of working out if there are technical vulnerabilities, we look at how well members of staff can cope with people trying to get them to agree to do things that they normally wouldn't. These are the moments where most attackers complete their initial attack. There are plenty of technologies out there that help prevent these attacks from being successful, but like most things in the cyber security world, this is an arms-race. The attackers create new tactics and techniques as soon as new technologys are deveoped by the defenders.

Cyber security experts refer to the "Assume breached" mentality because of the cyber security arms race. The goal is no longer simply to keep attackers out, but instead, it is to make it hard for the attackers to get in and even harder to stay undetected.