Social Engineering
The Weakest Link
On an annual basis, billions of dollars are spent by organizations on IT security seeking to leverage technology to address risk management objectives. And yet, the human element – the weakest link in security – is often overlooked. Sword & Shield has repeatedly demonstrated through social engineering exercises just how damaging leveraging information from and navigating through the human elements of an organization can be.
In one engagement, Sword & Shield was able to leverage social engineering techniques to navigate through an IT environment (over the Internet) and tap critical financial documents of the organization's CFO.
What it Does
Social Engineering involves contacting Customer staff in an attempt to extract sensitive corporate information from the individuals; i.e., primarily system account information. Sword & Shield will also attempt to gain entry to non-public areas of customer facilities during business hours. Consultants will also conduct an evaluation of security controls in place to protect non-public information, including security of customer’s information systems and hard copy documentation (member file storage, documentation in branches, etc.)
The Process In Action
During a social engineering exercise Sword & Shield consultants attempt to coerce sensitive information from staff and contractors. The three key factors in information security include People, Process (or policy), and Technology. The social engineering activity targets people and process instead of technology in efforts to compromise network defenses and critical systems. The scope of this type of effort is divided into three equally important parts; the specific target(s), the means which the engineer will use to obtain the sensitive information, and sensitive information itself.
Target(s): The target with respect to a Social Engineering effort is the individual person or group of persons from which the Security Engineer will attempt to coerce sensitive information. In most cases, this is anyone employed by the customer but it can also be limited to a specific department or segment.
Means: The means refers to the resource(s) used to coerce sensitive information from the target. In most cases the means is by way of telephone as it is the most effective method; however other options include email, fax, text messaging, and face-to-face communication.
Sensitive Information: The scope of the sensitive information that the Security Engineer will attempt to coerce from the customer can range from user login credentials for a web based email server to information about the customers network design.
The scope and methods of the social engineering activities are always established prior to a testing engagement and an integral part of the scoping and test planning process.
Our Markets
We service many markets, predominantly in these sectors:
Request Consultation
To speak to a member of our team, please fill out this request form.
