Assess end user awareness
End users are a common target for malicious threat actors. Organizations spend a considerable amount of time and money securing their logical assets, however end users are oftentimes the weakest link in a security program.
Social Engineering (SE) Assessments use real-world scenarios and tactics to try to demonstrate the level of end user’s awareness to coercion attacks. These engagements can also highlight areas wherein organizational security policies, and technical controls, can be enhanced or used more efficiently to detect and prevent SE attacks.
Phishing Engagements are one of the most common types of SE assessments. These projects simulate malicious threat actors that send emails to personnel, in an attempt to gather information, or gain control of end systems, and otherwise gain unauthorized access to systems and data. Phishing engagements can be tailored to fit the needs of the organization; everything from simply measuring the number of clicks on a phishing URL, to capturing user credentials, even so far as attempting to gain command and control of end user systems, are all available options for remote SE engagements.
Another remote scenario for SE engagements is engaging in phone based coercion attacks. Rotas consultants can use phone calls, and attempt to coerce end-users into performing actions that could aid an attacker.
These engagements are used to assess personnel’s awareness regarding onsite interaction with unauthorized persons. The goals of onsite SE engagements are typically to gain unauthorized access to facilities, systems and data by actively engaging personnel. These engagements differ from physical penetration testing in that the assessor actively attempts to coerce personnel into performing an action. Examples of onsite SE scenarios include impersonating service personnel or employees, scheduling meetings to gain access to facilities, or otherwise actively engaging personnel to grant access to buildings, systems, or data.
These engagements are useful for ensuring visitor access procedures are followed, and to gauge personnel’s willingness or awareness regarding reporting suspicious persons.