The old saying that you are only as good as your weakest point is absolutely true- especially when factoring in the “people” aspect of IT security. Regardless of technologies you implement or physical barriers you erect, the strength of your controls comes down to the training, awareness, diligence and honesty of your company insiders. Comprehensive security policies and security awareness training are fundamental controls within an effective security program. Testing these controls is also critical to validating and improving program effectiveness.
Social Engineering Framework
Interactive Security’s Social Engineering Framework consists of three A’s: Analyze, Assessment, and, Analysis. This framework should be implemented yearly in order for clients to see if they are improving or need to take further actions.
Analyze
Assessment
Analysis
Once information is found and analyzed, every finding is documented in a prioritized list. Interactive Security includes this list along with recommendations in the final report.
Social Engineering Scope Assessment Approaches
Each of Interactive Security’s Social Engineering Assessments are broken down into either black box or white box methods. These style of assessment approaches are designed to give clients two different options for level of effort.
Black Box
In a black box style assessment, the social engineer begins the assessment with no prior information from the client, in order to see what types of intelligence (OSINT) they can find online. For these campaigns, the social engineer will gather E-mail addresses, phone numbers and information about the physical security controls to develop custom attack vectors. Benefits of black box assessments:
White Box
During white box assessments the client provides the targets they wish to be tested, such as: phone numbers, E-mail addresses, and locations.Benefits of white box assessments:
Intelligence Gathering
Attackers utilize intelligence gathering tactics against companies to search for information that could be found in job postings, employee social media accounts, or even third-party associations. Once intelligence is collected, they leverage it to create social engineering campaigns. Interactive Security utilizes the same tactics to gather intelligence.
Phishing
Phishing has been the starting point of many data breaches. It is imperative that companies are continuously training and testing for this style of attack. Our Phishing Assessments test what percentage of client employees will pass or fail to a phishing campaign.
Verbal Phishing (Phone/Voicemail)
Verbal Phishing is eliciting sensitive information via the phone. Interactive Security utilizes multiple approaches to gain information, such as spoofing phone numbers and impersonation, just as a malicious actor would.
Phishing
A Physical Assessment can validate clients’ physical security controls in place and company policies or show them areas that need improvement.Physical security controls, which Interactive Security will assess:
Company policies that may be tested: