Over the past few years, we have heard more and more about cybercrime, IT vulnerabilities, and Zero Day flaws; the digital world that we live in is concentrating increasingly on these threats.
It is true that the multitude of technologies that show technical flaws are a flourishing field for computer hackers. Too often, vulnerabilities are automatically detected by robots, and they can be exploited completely opportunistically.
However, by focusing on technical vulnerabilities, we forget our human vulnerabilities.
If a hacker cannot reach their objective “technically”, they will get around companies’ defences through humans via social engineering methods. You should not neglect these types of targeted attacks.
Social Engineering: are your teams ready?
Social Engineering is a test that highlights the “human” flaws in your Information System (IS).
Many define social engineering as a practice that seeks to psychologically manipulate human beings to identify and use their weaknesses (excess trust, gullibility, ignorance of protocols, etc.) to obtain something from them: access, strategic information, goods or services, etc.
This type of attack is more common than you would think and only needs minor, or no, technical knowledge. Most of the time, attackers (whether malicious hackers or our experts on assignment for you) will use simple communication methods like telephones, email, or letters.
NBS System’s expertise in IT security
21 years of experience
+ 250 clients in IT security
Creator of CerberHost
Creator of Naxsi
What is the advantage of Social Engineering?
Employees’ behaviour can have significant consequences for your organisation from an IS security point of view.
The goal of implementing a social engineering test is not to identify the team’s “weakest link”, but an exercise to measure your employees’ awareness of this type of targeted attack.
We can also identify a lack of information or training in security procedures, which will allow you to set up security training and awareness events that include your employees.
Beyond compromises as such, we can also assess your teams’ reactiveness in using important internal levers such as:
- The time to detect the compromise
- Internal crisis communication
- The means used to mitigate or stop the attack
This test of your teams’ resistance to third parties can also be implemented after the fact, for example following security awareness training so you can test the results.
Whatever the case, Social Engineering experiments can be implemented as a one-off, although they are often a step within a larger security test operation.
Social Engineering: the methodology
Since this type of assignment is especially sensitive (handling personal data, contact with your teams, etc.), it is vital that the framework be well defined. Attempted social engineering at your company without your signed agreement would be illegal, of course. We pay special attention in drafting the contracts for this assignment.
It is important for the social engineer to understand what is important or vital to your company. It may be a database, access to a strategic application, employee access rights, or maintaining your production environment; these are the elements they will try to reach.
You can also try working in reverse: instead of identifying an objective, we can identify a target to test together. For example, you can have our experts test the human resistance of all secretary and executive assistant positions.
The approach that our experts use as well as their tricks and targets will not be the same depending on the objective.
Conducting the assignment:
Many scenarios can be considered. Social engineering‘s goal is to get as close to employees as possible and take advantage of their trust. Therefore, it is difficult to show you a typical scenario. Our experts will be creative from one assignment to another to best fit the context, from your employees’ working environment to your company culture just like a hacker would. However, here are a few examples of frequently used practices and resources:
TYPE OF PRACTICE
- Trojan horse virus
- Identity theft
- Social networks
Like all of our IT security services, we provide you with a report that is as detailed as possible containing all the information that can be of use:
- The methods used
- The results obtained
- A review of your company’s sensitive points
- Appropriate recommendations and corrective actions
When should we use social engineering?
The goal of social engineering is to audit human behaviour when confronted with an attempted compromise from the outside. There is no question here of hardware, software, infrastructure, etc.
Do you want to raise your employees’ awareness of IT security and have them accept training? Social engineering is a great method of proof by example.
Have you invested in training in IT security procedures, and you want to test the results? The social engineering audit gives you an objective view of your employees’ behaviour.
Corporate social engineering: who takes care of it?
NBS System’s security unit is made up of 10 experts, each with their speciality.
- Part of the team is specialised in security services such as audits and penetration tests.
- The other part of the team spends its time on research. It creates open-source security tools to share its expertise with the community and society at large.
This second team is always familiar with the latest security discoveries. It shares its discoveries with the teams who carry out the social engineering test so that they can test your defences effectively, even against the most recent attacks and methods.
Furthermore, each of the NBS System security unit’s members is temporarily and randomly assigned to the role of SecOps. By carrying out operational security assignments for our clients, our experts stay familiar with the reality on the field and your production requirements.
Social engineering assignments: where are they held?
Since the goal of this type of assignment is to conduct the test as discreetly as possible, we prefer that our experts not be present in your company at the time of the test for social engineering assignments. The experiment will be conducted in our facilities.
At the end of the service, all information obtained will be delivered to you at the same time as the final report. These elements are strictly confidential and will only be shared with your reference team and the NBS System security team. No information will be shared with third parties or saved, and your company’s weak points will never be used outside the test context.
Learn more about our services by contacting our sales teams