What is social engineering?
The act of tricking others into sharing knowledge or taking action , usually through technology, is social engineering. The theory behind social manipulation is to tap into the innate impulses and emotional responses of a potential victim.
Social engineers often attempt to access your physical infrastructure when trying to get into your organisation, that’s why we always say “Cyber security starts with physical security“.
What we test for:
- Establish the publicly available information about your company that an intruder could obtain.
- Assess how vulnerable the workers are to attacks by social engineering/trespassing.
- Determine the efficacy of the information security strategy and cyber security tests to detect and avoid attacks by social engineering.
- Checking staff members susceptibility to phishing.
What are the risks?
Humans are often the weakest part of the security of an organization. This lack of physical security could allow an attacker to walk straight into one of your buildings and steal every piece of data you have. Although not what is generally thought of as a data breach it is all too easy for an attacker to steal data in this fashion. More over attacker’s could use another form of social engineering such as phishing or a ‘Bad USB’ to exploit a network but tricking your employees into hacking it for them. Almost all malware is delivered into networks via phishing attacks we hope to fix this by offering training and teaching employees how to spot and report phishing emails and protect your network.
Some examples of social engineering:
A cyber-criminal could leave a malware-laden USB stick at a place where the target can see it. Also, the perpetrator might compellingly mark the gadget — “Confidential” or “Bonuses.” A target who takes the bait will pick up the device and plug it into a machine to see what’s on it. The malware will then insert itself directly into your computer.
A fraudster may send out emails that seem to come from a source that is trusted by the target victim. For example, the source may be a bank the asks email recipients to click on a connection to log in to their accounts. However, those who click on the connection will be taken to a fake website which, like the email, seems to be legitimate. If they log in at that fake site, they’re essentially handing over their login credentials and giving the crook access to their bank accounts.
If your friend sent you an email with the subject, “Take a look at this website I found, it’s completely awesome,” you may not think twice before opening it. Through taking over an email address from another, a fraudster will make anyone on the contact list think they get email from someone they know. The primary goals are to spread malware and to trick people out of their data.
There is no “Catch all” training solution for social engineering vulnerabilities. Each companies response will be different, we develop a targeted awareness training programme based upon the vulnerabilities discovered.