Physical Social Engineering

Benefits of Performing a RedTeam Security Physical Social Engineering Test

A RedTeam Security physical social engineering test assesses the difficulty that an attacker would have to exploit the people component of an organization to access an organization's physical premises, generally for the purpose of obtaining sensitive information, control over internal systems or to get someone to perform an action (sending a message, canceling a service, providing a refund, providing confidential information). It also includes advice on ways to mitigate these threats, which organizations often overlook when developing their information security strategy.

A physical social engineering engagement will evaluate the effectiveness of your internal training and communication. This is done by testing whether employees will follow procedures related to admitting visitors, questioning unknown persons on the premises or in the building. Is it possible for a social engineer to gain physical access to an organization's premises by convincing someone to admit them or by bypassing people controls (i.e., tailgating into a building). Once access is gained, specified goals will be pursued and evidence will be gathered of an organization's security vulnerabilities in real-time. This evidence could include the presence of sensitive information left in the open, workstations left logged on, and clean desk policies.

Depending on your organization, a physical social engineering engagement is just as important to security as penetration testing. Mature organizations often conduct penetration testing of both their application and network security on a regular basis without ever assessing the effectiveness of the training that affects their physical security. The primary reason for this disparity is that the consultants who test security typically have expertise in logical security rather than physical security, so they simply aren't capable of performing these tests. Furthermore, cybersecurity organizations usually don't offer physical social engineering services, giving their clients the impression that their current measures are adequate for protecting their network and data.

The RedTeam Security Solution to Physical Social Engineering

RedTeam Security's physical social engineering assessments use a realistic approach like that an actual attacker would use. These physical social engineering tests assess your people, processes, and procedures. Our tests for breaching physical safeguards can include access card cloning, baiting, pretexting, and onsite visits. The goal of our physical social engineering assessment is to simulate an attack by a real-life malicious actor attempting to breach vulnerabilities in physical security to gain ultimately gain confidential information that could damage the company or its clients.

Our team will test whether malicious actors can freely walk through the front door by simply posing as a client or maintenance worker, allowing them to bypass physical deterrents like keycard locks. Once inside the facility, our social engineer will identify the potential compromise opportunities, i.e., logged-in computers left active, access cards abandoned, confidential data exposed, unescorted access to computer rooms allowed, or the ability to gain access to executive offices.

A physical social engineering assessment thus shows that physical security is often the most vulnerable part of a company's security posture.

Deliverables

A RedTeam Security Physical Social Engineering Report provides detailed, actionable information to help improve the overall security posture of an organization. The report will include:

• Information learned during the Information Gathering and Reconnaissance phases of the project
• Detailed steps and pretexts used during the execution of the physical social engineering engagement
• Identification of successful and unsuccessful actions
• Evidence of security risks or mitigations observed during the engagement
• Recommendation for how to reduce risks going forward

This information will provide a roadmap for the next steps to reduce risk. Any follow-up engagement will allow the social engineer to check improvements in security and training.

Additional Resources

Learn more about our Physical Social Engineering engagements.

Schedule a Free Consultation with a Social Engineer

RedTeam Security's social engineering tests assess your people, processes, and procedures. Our tests for breaching physical safeguards include email phishing, telephone vishing, baiting, pretexting, and onsite visits. The goal of our social engineering assessment is to simulate an attack by a malicious attacker for the purpose of discovering vulnerabilities in physical security that a real hacker could exploit with scams.

This process provides valuable insight into an organization's security posture in addition to the actions needed to address any vulnerabilities. In addition to the initial remediation measures, it's also important to conduct social engineering tests on a recurring basis. Hackers are continually developing malicious software as they discover new vulnerabilities. RedTeam Security remains on the cutting edge of the latest trends in social engineering instead of relying entirely on a DIY approach.

Despite the changes in technology that criminals use to exploit their targets with techniques like ransomware, many social engineering techniques are still old school. These include the simple process of chatting with a receptionist to obtain information visitors shouldn't have. RedTeam's Security's testing process also provides your organization with the information it needs to educate end-users on security awareness, which can be a highly effective means of preventing a data breach.

Our social engineering testing can highlight problems that will prevent a security breach from occurring in the future. As they say, "the best offense is a good defense." For a  free consultation with a cyber security expert today, contact us today at (952) 836-2770.