|
|
|
Social Engineering Assessment Services
All the preventative controls in the world won't stop a determined attacker from getting at your data, especially if your employees let them in the front door. Social engineering tests your employees' reaction to unexpected visits, as well as giving you a complete picture of your facility's physical security posture.
Value of social engineering
Many organizations overlook the real value of social engineering: the ability to analyze the implementation of your organization's policies and procedures from an alternate perspective. This information is valuable because it allows the organization to identify areas that require additional training or other controls. We will work closely with you to identify the highest risk procedures, facilities and business units in your organization, and devise tests to challenge your employees' reactions to adverse situations.
Social engineering tests typically place the consultant in one of two roles:
- An outsider, such as a vendor or service technician, who is attempting to gain access to information via telephone
- An insider, such as a new employee. Below are some sample scenarios
|
|
Insider Employees
|
Outsider Service technicians
|
|
Call policies and procedures
|
|
|
|
Departmental security controls
|
|
|
|
Workstation security
|
|
|
|
Document storage and disposal
|
|
|
|
Separation of duties
|
|
|
|
Application access
|
|
|
Insider testing:
Insider testing typically places the consultant inside the organization as a new employee or vendor performing extended onsite work. In this way, the consultant is able to interact with and observe employees, test access controls, and attempt to escalate access to information systems.
Outsider testing:
Outsider testing is the most common form of social engineering. Using a ruse such as a core processor employee or network company technician, the consultant attempts to gain access to your security information as a vendor. If allowed inside, the consultant will try to obtain documents or other sensitive information that visitors should not be granted access to.
|
|
|
|
|
