The Trojan Horse is a classic example of social engineering at it’s best.
The concept of manipulating people and processes for some benefit pre-dates the invention of computers and the concept of cyber security, and goes well beyond the realms of IT and computing.
Recently however, social engineering has come to be closely associated with cyber security.
Social engineering is one of the more prevalent attack methods in use today, and has been featured heavily in some high-profile breaches.
In order for organisations to adequately model the real threats that they will face, social engineering penetration testing should be a recommended tactic in every penetration testing exercise.
Here are 4 social engineering techniques that testers can use to test an organisation’s security readiness:
Phishing involves sending an email to a user in order to persuade the user to perform an action.
The goal is simply to entice the user to click a link in the phishing email and then record that activity, or to actually install a program as part of a larger penetration testing effort.
The key to a successful phishing campaign is personalisation.
By tailoring the email to the targeted user, such as by sending it from a trusted (or perceived-to-be-trusted) source, increases the likelihood of the user reading the email or following some direction in the email.
A good tester will always remember to check spelling and grammar; a well-written and crafted email, even a short one, will be much more believable and enticing.
Pretexting involves calling the target and trying to solicit information from the target, usually by pretending to be someone that needs assistance and/or clarification.
This technique can work well in a penetration testing exercise by targeting non-technical users who can provide useful information.
The best strategy is to start with small requests and drop names of real people in the organisation who may be waiting for something. In the pretexting conversation, the tester explains that they need the target’s help, usually, in an urgent manner. Once rapport has been established, the tester can ask for something more substantial with a higher success rate.
Media drops usually involve a USB flash drive left somewhere conspicuous, like a parking lot or building entrance area or on a work desk.
The "baiting" USB will usually contain an interesting-sounding file that will launch some sort of client-side attack when opened by the unsuspecting victim.
Generally deployed to test physical security alertness, "tailgating" involves getting into a physical facility by coercing or fooling staff there, or just walking in.
Testers should plan to procure sensitive data or install a device quickly to prove they were successful, as they may have only a short window of time before someone notices their unauthorised presence.
The Testers can take pictures of exposed documents left on printers or desks, or install a pen-testing device to provide Wi-Fi or 3G network access back to the environment later.
So, what can you do to prevent such techniques being deployed to trick your end users in your organisation? Check out this next article for 3 steps you can take.