Social Engineering

Sword & Shield performs Security Awareness Testing in an attempt to trick employees into divulging confidential information that may be used to compromise network defenses and critical systems. This form of security assessment targets people and processes instead of technology.

Our Methodology for Social Engineering Training

We work with clients to define the targets, location and method of social engineering to be employed. The end results can produce vital data for reducing risk. Our Security Awareness Testing service is divided into three equally important parts:

• Targets – persons from whom the security analyst will attempt to coerce sensitive information.
• Means – resources used to coerce sensitive information from the target; can include telephone, e-mail, fax, text messaging and face-to-face communication.
• Sensitive Information – scope of data the security analyst will attempt to coerce from the target; ranges from user login credentials to network design specs.

Sword & Shield’s approach to Security Awareness Training includes four components:

1. Phishing – analysts work with the client to create a targeted phishing message from a supposedly trusted source. Sword & Shield tracks the open and click through rate and follows up with employees that inadvertently reveal information.
2. Pre-Texting – Sword & Shield analysts make phone calls impersonating someone with perceived authority or privilege in order to gather key information like usernames, passwords, access codes, etc.
3. Baiting – Sword & Shield analysts leave a USB flash drive or other form of mobile storage media in an open area in order to identify employees that attempt to use the device, and those who turn it in to the appropriate department.
4. Tailgating (or Piggy-backing) – analysts attempt to bypass physical security at client sites in order to roam unescorted, looking for open offices and/or unsecured workstations.

Questions Our Report Will Answer

• How effective is my security awareness training?
• How effective is my physical security?
• What are the risks that confidential information can be leaked to unauthorized persons?

Security Awareness Testing results and analysis are presented in a comprehensive report. The report details the vulnerabilities present and/or exploited using social engineering techniques. In addition to describing the current security posture, we provide recommendations for improving security and reducing risk.

Real Success Story

As part of a social engineering exercise for a large U.S. manufacturing firm, Sword & Shield analysts determined that the help desk did not require employees to provide any type of authentication to reset their domain account’s password. Using this knowledge, the Sword & Shield team successfully contacted the firm’s help desk and had the password changed for a senior director. The Sword & Shield team then accessed the firm’s internal network using the compromised account in conjunction with the firm’s remote access VPN.

Based on Sword & Shield’s findings, the manufacturing firm updated help desk policies and procedures, introduced annual security awareness training for all employees, and implemented two factor authentication for the remote access VPN. Sword & Shield’s Social Engineering exercise helped the manufacturing firm identify the need for employee security awareness training.

Talk With a Testing Analyst

Sword & Shield has been outsmarting cyber-criminals and improving security for enterprises around the world since 1997. To learn more about our Social Engineering service and our other areas of expertise, please fill out our Request Consultation form or contact us by phone today.

U.S. Toll-free: 800-810-1885

International: 865-244-3500