We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page

SOCIAL ENGINEERING

Often overlooked, Social Engineering (SE) should form a large part of your risk management strategy. It’s a topic widely recognized as one of the greatest security threats posed to organizations. The term ‘Social Engineering’ refers to any technique used by a threat actor that focuses on people and process, rather than on technology.

The objective of a social engineering attack typically includes manipulating people into divulging confidential information or performing an activity that benefits the attacker, preferably without those people realizing it. We have seen numerous examples of our consultants gaining full domain control from a successful SE engagement.

LRQA Nettitude are highly passionate about Social Engineering and it’s something our consultants relish. The results of our Social Engineering engagements often tend to be the most surprising and impactful.

Benefits of Social Engineering testing

People are often more susceptible to compromise, compared to technology, as they represent a direct entry point into a target network. Consequently, threat actors often find success when targeting people and processes. In the meantime, it’s common for organizations to focus on securing their technology. While technology is very important, it doesn’t represent the entire attack surface of a given organization. Including Social Engineering tests in an information security program gives more complete assurance against real-world threats. 

A successful Social Engineering testing program has well-defined objectives and covers several approaches. These include remote techniques including leveraging email, text message, phone call and even post. For complete coverage, in-person techniques that achieve physical access should also be conducted. When all these approaches are included in a Social Engineering test, a true picture of strengths and weaknesses, as relates to people, begins to emerge.

Benefits of Social Engineering tests include: 

  • Identify vulnerabilities relating to attacks that leverage people and process.
  • Understand the likely impact of an attacker that uses Social Engineering.
  • Gain insight into what people and process defenses are currently working well.
  • Identify areas of improvement within physical security policies and procedures.
  • Train employees to be more aware of common Social Engineering techniques by involving them in realistic scenarios.
  • Get assurance that includes consideration of real-world threats.

Organizations that include Social Engineering threats in their assurance program tend to receive greater insights into their overall information security posture. It is becoming increasingly common for assurance programs to require that people and process are thoroughly tested on a regular basis, because that’s what attackers are targeting too.

About the Service

Social engineering attacks are commonplace and take various forms. The two primary types of social engineering assessments LRQA Nettitude offers are remote and physical social engineering.

Remote social engineering – Remote social engineering attacks are meant to test the human factor in the organizational security posture as their primary objective. This would include the security awareness of the target, their propensity to spot malicious communications, and their actions taken upon noticing or falling for the attack. Because these attacks happen over the Internet or phone lines, it can be far harder to spot when a fake or malicious message has come through.

Remote Social Engineering Examples:

  • Phishing: Anyone who has used email has almost certainly received a phishing attack at some point. These are email-based solicitations designed to entice a person into doing something for an attacker, e.g., installing malware, capturing credentials, wiring money, etc.
  • Spear Phishing: A more targeted form of phishing. This variant typically involves a target pretext: the target person is researched, and a convincing phishing email is crafted that is prepared for that person specifically. More targeted emails have a higher chance of success from the attacker’s perspective, but they do take more time, effort, and skill to craft.
  • Vishing: This is the voice variant of phishing and it happens over the phone. There is typically a strong pretext for the call. It is common for a savvy attacker to collect individual pieces of information across multiple calls. Individually, each piece of information is low value and attempting to get it is unlikely to raise suspicion. Collectively, the information becomes much more valuable and can be used to execute a social engineering attack with high impact.
  • Smishing: This is the Simple Messaging System (SMS) form of phishing, but can include other chat platforms as well. Typically, Smishing’s goal is to get the target to click a link using their device to visit a malicious website or call a number.
  • Other: Other forms of remote social engineering may include popular chat programs used by your organization in which an assumed breach of your Teams, Slack, or other internal chat platform has been accessed by a malicious actor and attempt to entice employees to click links or run programs to gain access to their computer.

Physical Social Engineering

Physical Social Engineering typically involves in-person interactions, often lying to client employees with an explanation on why they should let someone into their office, with the goal of gaining access to a given building, room, or site. A comprehensive physical social engineering test highlights weaknesses in employee awareness but also focuses on a number of key technical controls that are sometimes overlooked or fall between the gaps of traditional penetration testing methodologies. The security awareness of employees is only one component. LRQA Nettitude’s holistic approach to physical social engineering, not only focuses on the human element but also heavily on the technical controls which are often lacking and can be exploited.

Physical Social Engineering Engagement Types:

  • Covert entry assessment – Consultant(s) try to gain access to sensitive or valuable data, equipment, etc. somewhere on the target site(s) undetected. This can also include the dropping of an initial foothold network device from which an internal infrastructure assessment can be performed.
  • Physical vulnerability assessment – A client point of contact provides an escorted walkthrough of the target site. The consultant investigates potential vulnerabilities and explains how an attacker would abuse a gap or weakness in the site’s and company’s physical security.

Physical Social Engineering Examples:

  • Tailgating. This is one of many forms of physical social engineering. Physical social engineering often has the objective of introducing something malicious to a building, such as malware, or removing something valuable, such as sensitive paperwork. Tailgating is the act of waiting for an authorized person to access a restricted area and following them through closely before the restriction – e.g., a door – reengages.
  • Baiting. This is where a user is enticed to do something for the attacker based on ‘bait’. For example, a USB stick could be left in a parking lot with the hope that a target person will pick it up and plug it into their laptop. The stick could be of high value and contain interesting looking files, which are really malware. A more targeted version of this could be using snail mail (i.e., mailing a physical letter or package) to mail something to a target person, perhaps with a pretext of it being a prize (nice packaging goes a long way) or having been sent from someone they know.

There are many other types of social engineering, and these are designed to give a flavor of what attackers typically do. 

A social engineering test will use one or more techniques like those described in order to test the protections provided not only by technology, but also by people and process. There must be clear objectives and rules of engagement, and it must be carried out by a reputable firm that understands risk reduction and is familiar with local laws.

A World Leader in CREST Accreditations

We are proud to be one of the few global companies that is fully certified by The Council of Registered Ethical Security Testers (CREST) across all key disciplines.

The Council of Registered Ethical Security Testers (CREST)

Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organization to be CREST accredited for our Security Operation Centre services.

A World Leader in
CREST Accreditations

CREST (The Council for Registered Ethical Security Testers)

We are proud to be one of the few global companies that is fully certified by The Council of Registered Ethical Security Testers (CREST) across all key disciplines.

Our team of consultants have achieved the highest accreditations for Penetration Testing, Red Teaming, Incident Response services and Threat Intelligence. In addition, we were also the first organization to be CREST accredited for our Security Operation Centre services.

General Enquiry.