Social engineering is a highly effective component of a full security penetration test. Most of our customers are very surprised at how easy it is for us to gain access. We'll use techniques designed to convince your team to give us access to your systems and data center.
Why test social engineering?
In the modern era of rapidly evolving technology, social engineering has become a significant threat to corporate security. Social engineering is a tactic used by cybercriminals to manipulate human psychology and trick individuals into divulging confidential information or granting unauthorized access to computer systems. Social engineering attacks can have devastating consequences for companies, ranging from financial loss to reputational damage.
Corporate networks are not always safe
Is your internal network really internal, or could a hacker gain physical access and plant a device that allows constant remote external access?
The goal is not to steal items from your office or retail location. Instead, it's more about the security of your internal network and the data that you have contained within it. Credit card numbers, product cost data, proprietary business plans, and identity theft are often the drivers for a malicious social engineer. More specifically, they want to gain unrestricted access to your internal network, whether via a device installed onsite or through a wireless connection.
Employees are often victims
With even less risk, social engineers email, call, and text your employees in order to steal their credentials by deceiving them with realistic requests and websites. Employees who share passwords across multiple accounts may be handing over access to several systems including full wireless or internal network access and even internal email access that can allows the process to start again… with a valid phish from within your network.
Social engineering testing can raise employee awareness of social engineering attacks.
Many employees are unaware of the risks associated with social engineering and may fall victim to phishing emails or pretexting calls.
Social Engineering Types
Phishing, Vishing & Smishing
Why Phish Your Own Team? Despite training and technical countermeasures, phishing continues to be a highly effective way to breach security defenses. Our team sends a convincing email to your organization in an attempt to gain user credentials and to measure the effectiveness of your security awareness program. From there we can use the credentials to attempt further system access or we can stop there. Either way your report gives you the details you need to train your team not to fall for a phish again.
And we don’t have to stop there. Spear phishing uses highly targeted emails to gain information or access without triggering security countermeasures. In vishing, also known as voice or phone phishing, engagements, Raxis calls your team and attempts to convince them to give us access through passwords or other sensitive information. Smishing or SMS phishing is just another way that hackers attempt to gain information, and our team provides individual attacks as well as combined attacks including any of the above.
Physical Social Engineering (PSE)
Our first step involves significant research on your organization's line of business, communication style, and employee behaviors. We'll learn as much as we can about your group to find the most effective style of attack, and we'll also work directly with your security team to ensure we're targeting the areas you need assessed. Our attack plans range from using branded clothing easily obtained from local sources to creating fake credentials. In many cases, we'll use no tangible physical items and simply rely on our communication skills to establish credibility with the targeted staff members.
But we don’t stop there. Our team attempts to clone employees badges to gain physical access to your buildings and even higher security areas such as data centers. Once in, we may install a device that allows us to prove we can access your internal systems remotely.
MFA Phishy
Multi-factor authentication can stop hackers in their steps even if they acquire valid credentials, but what if your team blindly chooses to “allow” all MFA requests? Busy employees may assume that the alert is valid and click “OK” before thinking about it.
Raxis has created a proprietary tool to test and train your employees to think before accepting. Phishy allows your team to automatically send and schedule fake MFA requests to different team members at different times. You monitor the results using the Phishy dashboard within Raxis One and review improvements… and who needs more training over time.
Social Engineering FAQ
If you are installing new systems or performing new training now, then we recommend you complete those before beginning your PSE. Usually, however, there’s no time like the present. If you have known issues that you haven’t corrected, it may be a budget issue. If so, a Raxis PSE engagement can give you the proof your management team needs to see that the changes are a high priority.
You know your scope best, and our team looks to you during scoping to be sure we include the best sampling for your test. While we are happy to advise you so that understand how you may be limiting results, exclusions of physical locations in PSE tests and of employee targets in phishing tests are common.
We always recommend that our social engineering tests be used as training instead of as judgements. The employee who falls for a Raxis phish is often the least likely to fall for a malicious phish. Our social engineering engagements all provide clear reports of our attacks and how your team performed. When you use these reports as training tools and reward employees who report suspicious behavior and communications, your whole team becomes stronger.
Social Engineering Specifications
- Conduct social engineering tests, such as phishing emails, pretexting phone calls, or physical security assessments, to identify vulnerabilities in the organization's security defenses.
- Analyze the results of social engineering tests to determine areas of weakness and opportunities for improvement.
- Provide a report for improving the organization's security posture, such as updating policies and procedures, improving training programs, or implementing new security technologies.
- Provide guidance on incident response procedures in the event of a successful social engineering attack.
- Review the organization's compliance with relevant regulations, such as HIPAA or GDPR, related to social engineering.
- Conduct follow-up testing to ensure that recommended improvements have been implemented and are effective.
- Providing ongoing support and consultation to the organization to ensure that its security posture remains strong in the face of evolving social engineering threats.