Social Engineering


The purpose of Social Engineering is to evoke and analyze human response to deception. This consists of impersonating a trusted individual or organization in an attempt to gain access to information and/or a company’s infrastructure. This practice allows us to evaluate the effectiveness of a company’s policies, network security design, controls, and implementation weaknesses to understand the internal vulnerabilities that may exist. Our security engineers take a focused review of:

  • Publicly identifying information about a company and its employees.

  • Human response to requests against specific regulatory and corporate security policies.

  • Risk associated with disseminated employee data and information.

Testing Approaches

  1. Phishing – Targeted email campaigns.

  2. Vishing – Pre-text calling.

  3. Smishing – SMS text messages.

  4. Physical – Gaining physical access to facilities or sensitive areas by avoiding operational security controls and procedures.

Methodology

We gather information to develop contact lists that consist of employee phone numbers and emails, where we encourage them to open a malicious payload or enter their credentials. We also gain information that allows us to gain physical access to a company’s internal spaces.

  • Phishing Attacks
    Develop email campaigns impersonating trusted individuals at a company and send malicious attachments or fake websites to contacts.

  • Vishing Attacks
    Develop call scripts impersonating trusted individuals at a company and request personal information or direct the contact to malicious attachments or fake websites.

  • SMiShing Attacks
    Create SMS scripts impersonating trusted individuals at a company and request personal information or direct the contact to malicious attachments or fake websites.

  • Physical Attacks
    Gather information on company badges, dress code, peak traffic times, security, points of entry, etc. We attempt to gain access to facilities or sensitive areas by evading security policies and processes, and subsequently document the physical access.