What is Social Engineering?
Social engineering is a highly effective component of a full security penetration test. This is the phase where our consultants will attempt to gain access by exploiting the human element. Raxis has a 80%+ rate of success based on 2012-2015 results, and most of our customers are very surprised at how easy it is to gain access. We'll also use techniques like phishing to attempt to convince someone to click our links or provide us with information. We can't guarantee we'll gain access to your environment, but we can guarantee that you'll learn invaluable information about your organization's security posture.
In order to understand how the process works, it helps to understand the goal of social engineering. The goal is not usually to steal items from your office or retail location. Instead, it's more about the security of your internal network and the data that you have contained within it. Credit card numbers, product cost data, proprietary business plans, and identity theft are often the drivers for a malicious social engineer. More specifically, they want to gain unrestricted access to your internal network, and it doesn't matter if it's via wireless or wired.
Our first step involves significant research on your organization's line of business, communication style, and employee behaviors. We'll learn as much as we can about your group to find the most effective style of attack, and we'll also work directly with your security team to ensure we're targeting the areas you need assessed. Our attack plans range from using branded clothing easily obtained from local sources to creating fake credentials or badges. In many cases, we'll use no tangible physical items and simply rely on our communication skills to establish credibility with the targeted staff members.
Customized Remote Phishing
Raxis will attempt to gain user credentials or access to private data via telephone or email, often by acting as a trusted third party or acquaintance.
Onsite Social Engineering
Using impersonation techniques, Raxis engineers will depict themselves as someone who has already been authorized to gain physical facility access.
Raxis will research specified targets and craft a highly focused attack against named individuals. If successful, Raxis will attempt to exfiltrate data from the organization.
Non-Invasive Physical Assessment
Assess your physical environment, discuss options for improved security, and deliver a physical security report without using impersonation techniques.
On Site Social Engineering
Custom developed access card reader, designed to fit in a backpack for discrete operation. Can read door access cards from elevetor riders without their knowledge.
You've trained your staff, reduced the social engineering risk, and prepared them for a potential breach. There's no way to break into your data center, right?
Using highly specialized custom gear and many years of experience breaking into the most secure facilities, Raxis will test your security posture according to the current state of high tech hacking. From cloning badge access to lock picking, Raxis engineers are not only able to potentially breach your physical controls, but also to subsequently connect and harvest data from your most secure systems if deemed in scope. Raxis not only knows what potentially can be done, but also can actually perform the attacks as a proof of concept.
The Raxis approach follows industry accepted NIST 800-115 and OSSTMM methodologies and can be customized to ensure Sarbanes-Oxley (SOX), Graham-Leach-Bliley Act (GLBA), or Health Insurance Portability and Accountability Act (HIPAA) regulatory requirements are addressed appropriately. Regardless of assessment type, Raxis will evaluate all aspects of the organization's security posture.
All Raxis physical security assessments include controls surrounding physical, architectural, policies, electronics, backups, environmental, and security personnel. While Raxis offers two different types of physical security testing (below), many customers opt for a combination of both tests to fit their needs.
Customized Physical Security Testing
Impersonation and Role-Playing Assessment
Testing physical security at the highest level is the very best way to determine where funding should be spent. As a proof of concept, Raxis will attempt to breach the perimeter using any method possible. Once the details of the breach are known, resolving the issue becomes much easier. Extreme care will be taken to ensure that systems keep running and existing security controls are not damaged. Once the invasive portion is complete, Raxis may follow up with a non-invasive assessment to examine controls that were not previously available.
Raxis will meet with your facility and data center engineers to perform a guided walk through of your location. Using a comprehensive set of controls based on varying customer needs, Raxis will evaluate your physical security controls against a recommended baseline. This will include your security policy, alarm systems, facility access controls, video, and visitor entry processes.