A social engineering test is a simulated attack from the perspective of a bad actor, such as a malicious hacker. The objective is to simulate a cyber security attack and attempt to uncover security vulnerabilities that might otherwise be discovered by hackers. In doing so, you would gain valuable insight into the security posture of the assets and be able to fix them before hackers are able to cause serious damage by exploiting them.
Hackers who use social engineering are constantly coming up with new means of attack; that’s why it’s so important to work with third-party testing professionals who are on the cutting edge of the latest attack trends, rather than relying on a DIY social engineering approach alone.
We get this question a lot and it’s not easy to answer until some level of scoping has been performed. Our scoping process is quick, online, and painless. But overall, the complexity of the operation will ultimately determine its cost. For example, when determining the work effort, we take the following into account: the number of targets (email, telephone) and the number of physical locations (onsite), and travel time between physical locations, if applicable.
A social engineering test should result in a list of actionable items that reduce the likelihood of successful cyberattacks. These steps often begin with basic improvements and progress to more advanced, customized solutions over time.
Multi-factor authentication (MFA) is a common way for immature organizations to improve their protection against cybercriminals. This approach requires an individual to provide multiple login credentials or factors before they can access a restricted area. Factors can include knowledge, possession, or inherent property. Knowledge is something only the user knows (Like a password), a possession is something only the user has (Like a phone or token generating device), and an inherent property is something only the user is (Like a fingerprint).
The intense focus that many organizations currently have on protection against malware attacks is certainly justified, but it often causes them to overlook physical security. A follow up engagement will allow the social engineer to check improvements in security and training.