Products & Services
Consulting & Assessment Services
Ask the Experts
Submit a no-obligation question about our social engineering assessment.
GET INVOLVED: If you found this helpful, why not join in the conversation? We'd like you to post your thoughts on social engineering threats on FaceBook, Twitter, and the InfoSight Blog.
Social Engineering Assessment
& Physical Security Testing
- Do you know why Social Engineering is so effective?
- Do you know the many ways an attack may occur?
- Are your employees able to sniff out Social Engineering scams?
Fraud incidents are on the rise - especially in financial services and healthcare - and many of these crimes result from social engineers pulling off deception in person, via the telephone and through popular social networking sites.
Despite all the media hype about hackers and viruses, the greatest threats to an organization's information security are the employees of the company. They're the ones who too often, too willingly, fall victim to Social Engineering ploys and open the doors wide to slick-tongued fraudsters.
When an intruder targets an organization for attack, be it for theft, fraud, economic espionage, or any other reason, the first step is reconnaissance. They need to know their target. The easiest way to conduct this task is by gleaning information from those that know the company best. Their information gathering can range from simple phone calls to dumpster diving. It is not beyond a social engineer to use all the tricks in the book to obtain the goal.
Being cognizant of these types of attacks, educating your employees about the methodologies of the attacks, and having a plan in place to mitigate them are essential to surviving these manipulations.
InfoSight's Social Engineering and Physical Security Assessment is a comprehensive set of security tests designed to establish the current state of security awareness among the organization's personnel. This assessment is conducted across two separate vectors:
- Deception Testing performed directly against personnel, in which assessors attempt to gain privileged access or information by way of pretexting, impersonation, misrepresentation, and other forms of general deception, and
- Physical Security Testing conducted against the organization's physical plant to determine the efficacy of physical security design within the company's offices, buildings, and other properties.
- Telephone impersonation
- Email phishing
- Trojan and virus testing
- Onsite impersonation
- Website subversion
- Camera placement testing
- Key control testing
- Clean desktop testing
- Suspicious activity testing
- Physical penetration testing
- Dumpster diving and shred testing
Visit our Knowledge Center to get training for your staff on Social Engineering and other information security topics within our security awareness training arsenal.
What is
Social Engineering?
Social engineering is the act of tricking people into performing actions or divulging confidential information by masquerading as a legitimate user in order to bypass security measures and tools. The purpose is to obtain confidential information from users through phone, email, snail mail or direct contact, and secondly, use the data to gain illegal access. The social engineer chooses to con someone into divulging information rather than use technical hacking or physical break-in techniques.
Social engineers also use social media sites to perform reconnaissance on their victims in order to gain personal information about them. They then use this knowledge to trick the user or their friends/colleagues into divulging the pieces of information they need to eventually gain unauthorized access to systems. Other examples of social engineering include:
• A 'senior member of staff' calls the IT support desk in a 'great hurry' and has forgotten their password (and they need it now!).
• A social engineer calls posing as a member of the company's IT staff to request details about the user's computer and/or access to the computer system.
• An attacker calls random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.
What is Physical Security Testing?
Physical security testing, sometimes called physical penetration testing, identifies the security weaknesses and strengths of the client's physical security. The goal of the test is to demonstrate the existence or absence of deficiencies in operating procedures concerning the physical security of employees and patrons. Physical security testing complies with federal and local laws as well as the human right to privacy. It demonstrates "due diligence" and compliance with industry regulations.
Do you have something to add to this definition? Let us know. Email your comments and contributions.
Visit our Knowledge Center for more information.
