
Social engineering refers to any technique used by a threat actor that focuses on people and process, rather than on technology. The objective of a social engineering attack typically includes manipulating people into divulging confidential information or performing an activity that benefits the attacker, preferably without those people realizing. It is a common requirement of information security programs to replicate the threat of social engineering attacks through regular penetration tests.
Benefits of social engnieering testing
People are often more susceptible to compromise, compared to technology, as they represent a direct entry point into a target network. Consequently, threat actors often find success when targeting people and processes. In the meantime, it’s common for organizations to focus on securing their technology. While technology is very important, it doesn’t represent the entire attack surface of a given organization. Including social engineering tests in an information security program gives more complete assurance against real world threats.
A successful social engineering testing program has well defined objectives and covers several approaches. These include remote techniques including leveraging email, text message, phone call and even post. For complete coverage, in person techniques that achieve physical access should also be conducted. When all these approaches are included in a social engineering test, a true picture of strengths and weaknesses, as relates to people, begins to emerge.
Benefits of social engineering tests include:
- Identify vulnerabilities relating to attacks that leverage people and process.
- Understand the likely impact of an attacker that uses social engineering.
- Gain insight into what people and process defenses are currently working well.
- Get assurance that includes consideration of real-world threats such as phishing.
Organizations that include social engineering threats in their assurance program tend to receive greater insights into their overall information security posture. It is becoming increasingly common for assurance programs to require that people and process are thoroughly tested on a regular basis, because that’s what attackers are targeting too.
The Problem
In the past, it was common for attackers to focus on Internet facing infrastructure for their attacks. Technology was generally not well defended and focusing on it was low risk and high reward for most attacker objectives. Times have changed. Technology is typically better defended, and attackers are finding more success when targeting people and process. This shift has occurred, but many organizations have failed to keep their threat model up to date.
Did you know:
- Social engineering attacks were responsible for the theft of over $5 billion worldwide during a recent three-year period.
- 55% of all emails are spam.
- 97% of all attacks use some form of social engineering.
It’s clear that social engineering is a real-world threat. The impact and likelihood of such an attack succeeding against an organization typically needs to be understood. A social engineering test hands that knowledge to an enterprise and helps feed into a robust cyber security strategy.
About the Service
Social engineering attacks are commonplace and take various forms.
Examples include:
- Phishing. Anyone who has used email has almost certainly received a phishing attack at some point. These are email based solicitations designed to entice a person into doing something for an attacker, e.g. installing malware, capturing credentials, wiring money, etc. More targeted forms of this attack are known as spear phishing. This variant typically involves a target pretext: the target person is researched, and a convincing looking phishing email is crafted that is prepared for that person specifically. More targeted emails have a higher chance of success from the attacker’s perspective, but they do take more time, effort and skill to craft.
- Vishing. This is the voice variant of phishing and it happens over the phone. There is typically a strong pretext for the call. It is common for a savvy attacker to collect individual pieces of information across multiple calls. Individually, each piece of information is low value and attempting to get it is unlikely to raise suspicion. Collectively, the information becomes much more valuable and can be used to execute a social engineering attack with high impact.
- Baiting. This is where a user is enticed to do something for the attacker based on ‘bait’. For example, a USB stick could be left in a parking lot with the hope that a target person will pick it up and plug it into their laptop. The stick could be of high value and contain interesting looking files, which are really malware. A more targeted version of this could be using snail mail to post something like a target person, perhaps with a pretext of it being a prize (nice packaging goes a long way) or having been sent from someone they know.
- Tailgating. This is one of many forms of physical social engineering. Physical social engineering often has the objective of introducing something malicious to a building, such as malware, or removing something valuable, such as sensitive paperwork. Tailgating is the act of waiting for an authorized person to access a restricted area and following them through closely before the restriction – e.g. a door – reengages.
There are many other types of social engineering, and these are designed to give a flavor of what attackers typically do.
A social engineering test will use one or more techniques like those described in order to test the protections provided not only by technology, but also by people and process. There must be clear objectives and rules of engagement, and it must be carried out by a reputable firm that understands risk reduction and is familiar with local laws.