Social Engineering Penetration Testing

Social Engineering Penetration Testing

By Akash Desai, Director, ERMProtect IT Security Consulting

Social engineering, sometimes known as “human hacking,” is a method of manipulating people into giving out sensitive information. It is one of the most deceitful tactics used by hackers as it takes advantage of unwitting human errors.

Tricking employees is one of the easiest ways to reach into the deepest levels of an organization’s data and network. It takes just one human error to bypass the most sophisticated, state-of-the art technical countermeasures against breaches.

Social media deserves special mention for enabling these attacks, making it easy for malicious actors to gather information that helps them fool people.

social media

Numbers Speak Louder Than Words

There are some truly alarming numbers that will help put things into perspective as far as social engineering attacks are concerned:

These numbers shine a bright light on the need for employee cybersecurity awareness training, which helps imbed “cyber smart” thinking into a company’s culture. The training helps the organization but also the employee. Hackers are after their personal information, too, as we saw in the recent social security numbers breach.

Modus Operandi

Hackers often lay the plot for a social engineering attack in a very phased and calculated manner.

When attacking organizations, a technique known as “spear phishing” has proved to be the most successful. For a hacker, the size of the organization doesn’t matter. Hackers are looking for return on time spent. So, an organization that gives them the maximum return on time and effort is a good target.

When using spear phishing, hackers zero in on a specific individual at the organization, often someone with some degree of authority. They then begin to gather as much information as possible on that person from the Internet and social media.

With this done, hackers then think about the “pretext” – basically the story that they will spin to dupe unwitting victims. They reach out to these victims to try and gain their confidence, often making them believe that they are interacting with a trusted insider. Once the target is engaged, the attacker tries to gain sensitive information that can be used to gain access to the network to launch further attacks.

hacker

Oftentimes, the attacker maintains a foothold in the organization that goes undetected for days or months together before being exposed.  In fact, research suggests that:

  • Phishing breaches go undetected for 295 days.
  • Breaches attributed to third-party software vulnerabilities and malicious insiders go undetected for 284 days.
  • Breaches related to social engineering take 270 days to detect.
  • Breaches related to cloud misconfigurations go unnoticed for 244 days.

Social Engineering

Social Engineering Tactics

Hackers use different types of tactics when performing social engineering attacks. Some of these include:

Phishing

Phishing barely needs any introduction given its widespread use. But for the uninitiated, this is a method used by hackers to trick users into clicking on malicious links that take victims to fake websites that often closely resemble the real ones.

In a recent attack, phishers impersonated the United States Department of Labor with fake invites to bid on federal projects with the motive of stealing Office 365 credentials. The website even displayed an error message when the target attempted to enter credentials the first time, tricking them to enter their credentials twice and thus reducing the possibility of mistyped credentials. Finally, victims were taken to the actual Labor Department site, so as to not arouse any suspicions that something was amiss.

Spear Phishing

As discussed earlier, spear phishing targets a specific individual or organization. This type of attack relies on deep research about the victim. Outreach is crafted specifically to lure the victim into believing that they are communicating with a trusted source. The motive is to gain access to sensitive information such as account details or financial information.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a type of spear phishing attack in which an attacker researches an organization to identify people with financial access and authority. The hacker impersonates the target in emails that typically request money, such as a wire transfer.  The most common BEC attacks involve “spoofed” email accounts where the hacker creates an email that looks similar or identical to one belonging to a company executive or financial official.

Pretexting

Pretexting is a type of attack that can happen over the phone, in person, or online. The idea is to convince the target to believe a made-up story – such as a hacker pretending to be an IT employee or help desk employee investigating a problem. The goal is to gather information from the victim that reveals internal information that can be leveraged to mount attacks.

Baiting

Baiting, as the name suggests, is an attack where the attacker uses bait such as a USB pen drive lying in the lobby area to entice victims into picking it up and using it on their system. Once that happens, malware on the drive installs itself on the system and steals information from it continuously in the background. Baiting doesn’t necessarily need to involve a physical device. It can also be done through online advertisements, enticing the victim with lucrative offers such as free downloads, discounts, and other such freebies.

Scareware

Scareware scares victims with false alarms such as popups or messages saying that their system is infected with malware and asking the victim to install a rogue application to clean it. Once the victim installs the rogue application, they end up installing malware onto their device that then steals sensitive information. Sometimes scareware is used to sell fake software wherein the scammers make money by selling a software program that does pretty much, nothing.

Physical Social Engineering

Physical Social Engineering methods are used by hackers who take things a step further by physically showing up on an organization’s premises themselves to steal sensitive assets. The hacker could pretend to be a visitor at the organization, someone from maintenance, a third-party vendor, or a delivery person. Or they might try something as simple as tailgating - following (piggybacking) behind an authorized employee who just opened a secure door with their ID card.

The main motive here is to steal information on the premises such as unattended drives on the desk, documents in the trash bin or desk, and so on.

Vishing

Vishing, or voice phishing, is a method in which attackers use phone calls to trick victims. Such calls can be from humans, or they could even be recorded calls depending upon the plot. Scammers pose as bank employees, IT support personnel, or an important institution to lure victims into giving out sensitive details that can be used for identity theft, account takeovers, or financial fraud.

Enter Social Engineering Penetration Testing

Cybersecurity training is a major countermeasure to keep employees from making these mistakes. Employees must be up to date on the latest ways hackers can trick them. But different employees need to be trained differently.

That’s where social engineering penetration tests come in very handy.

The idea is to perform the same kinds of social engineering attacks that a real-world hacker would on company employees. Social engineering penetration tests help organizations identify exactly what each employee’s weaknesses are in terms of cybersecurity awareness. Once this is known, the organization can train employees on their specific weaknesses.

Security Awareness Training Graphic ERMProtect

For instance, if a certain employee falls too often for phishing links, then phishing-specific training that helps identify malicious links and advises caution against them is ideal.

An employee who unwittingly lets a stranger into a secure area would receive physical security training.

Customizing the training to specifically address an employee’s weak areas ensures they brush up in areas where they are faltering.

Social engineering penetration tests play a vital role in giving organizations a real picture of the cyber awareness of their employees. It also helps showcase to stakeholders and regulators the proactive approach the organization is taking in fending off cyberattacks.

History has shown that organizations with even the best technological capabilities have fallen victim to hacker attackers owing to human weaknesses. Social engineering penetration tests are a great way to test human defenses and fight back.

Remember: The more regularly employees undergo social engineering penetration tests, the more alert they become.

In the end, your organization will be able to implement a strong cybersecurity program that covers a full 360-degree range of technology, people, and processes.

ERMProtect Logo

Social Engineering Penetration Testing with ERMProtect

No matter how much an organization improves its technical defenses, employees can fall victim to phishing attacks and other hacker lures. ERMProtect™ arms employees with the tools and security awareness they need to protect themselves and their organizations from cyberattacks. Learn more about ERMProtect's Security Awareness Training here.

For more information about ERMProtect’s social engineering penetration testing services, please email [email protected] or call 305-447-6750.

About the Author

Akash Desai is a Director of Consulting for ERMProtect. For more than 15 years, he has combined technical expertise with creativity and problem-solving acumen to create innovations and solutions that address challenging cybersecurity problems. His past accomplishments at the prestigious CERT® Coordination Center and the innovative Carnegie Mellon CyLab bear witness to his goal-oriented approach to cybersecurity’s biggest issues in the areas of insider threat, intrusion prevention, proactive and agile cyber-defense, and security awareness training. At ERMProtect, he is the brain behind the innovative ERMProtectTM cybersecurity awareness training practice and has led several, highly complex cybersecurity projects and project teams.

Subscribe to Our Weekly Newsletter

Intelligence and Insights

pci dss compliance

Why PCI Standards Are Just the Starting Point for Securing Payment Data

While PCI DSS compliance offers a solid baseline, it is not an all-encompassing solution to build a proactive and resilient data security framework …
pci dss in the cloud

How to Achieve PCI Compliance in the Cloud as Security Controls Evolve

The integration of cloud services with PCI DSS compliance is particularly crucial for enterprises that handle sensitive payment card information …
Digital Forensics Investigation

What Are the 5 Stages of a Digital Forensics Investigation?

In this article, we delve deeply into the five stages of a digital forensics investigation and provide tips on how to select the right digital forensics company …