Social engineering has proved to be extremely efficient hacking technique, as it exploits both human weaknesses (greed, vanity, authority worship) and virtues (compassion, willingness to help others). The technique has already made a name for itself with 43% out of 1,935 documented data breaches (2017 VERIZON DBIR). Quite a reason for companies to add social engineering penetration testing to their security wish list.
This overview will help you understand the essence of the technique and its value for your business data security. Besides, it will make you shrewd enough to choose the right service provider.
What is social engineering penetration testing?
Social engineering penetration testing comprises the techniques used by professional ethical hackers to trick a customer's staff into revealing sensitive information or perform the actions that create security holes for a hacker to slip through. It may be performed as a standalone security check, but usually it serves as an addition to more conventional types of penetration testing.
Social engineering penetration testing techniques
Social engineering penetration testing can be performed in two modes: off-site and on-site.
Off-site social engineering penetration testing
Ethical hackers have a couple of remote social engineering techniques at their disposal. They may start with a passive reconnaissance aiming to get as much information as possible about the target company. Various search engines, the company's website, annual reports: basically, any public resource will work.
Active off-site methods, falling under an umbrella term phishing, are designed to make employees divulge information intended for internal use only. In case of phishing, an ethical hacker contacts a staff member by phone, email, or sends SMS to fish for corporate-sensitive data. Consider some examples of phishing simulations by social hackers:
- Phone phishing (a.k.a. vishing): A pentester calls the help desk and, pretending to be a legitimate user, say, Stacey from the Supplies department, tries to get her account password.
- E-mail phishing: A pentester sends your employees e-mails with links to files containing malware. For example, staff members may receive an e-mail that informs them about their lottery prize. To get the prize, staff members have to click a link that gives the pentester access to the target's corporate account.
- SMS phishing: This type of attack is similar to e-mail phishing. The only difference is that the target gets a malicious link via SMS.
On-site social engineering penetration testing
During an onsite engagement, penetration testers apply various techniques to gain physical access to the office of the target company. The basic techniques are as follows:
This social engineering technique involves disguising as another person to get into the company's building and to reach valuable information. Let's consider the most popular scenarios:
- Using authorized personnel to get into restricted areas of the target company, such as server rooms. For example, a pentester disguised as a candidate for a job interview enters the X company. Then, the pentester asks an employee to use his or her ID card (say, pretending to be a newcomer that forgot the ID) to get to the restricted area.
- Wearing the company's uniform or making duplicate ID card.
- Pretending to be a delivery person. Sometimes, delivery people have few access restrictions and can take packages to secure areas of the company. A delivery person's uniform builds trust in the company's staff and they hardly notice the stranger.
- Impersonating a tech support worker. This is the most devastating of all social engineering techniques, as a pentester gains access directly to the company's network. Launching a USB thumb-drive on the target computer, the pentester may compromise it within seconds. If the company's security policy forbids the computers to accept or read USB drives, the disguised pentesters check their e-mail accounts to open an infected document.
Reverse social engineering
This technique is a form of social engineering penetration testing where the victim unwittingly goes to the attacker. Sounds ridiculous? The trick is that an ethical hacker uses traditional social engineering attack first to establish trust-based relations (for example, impersonating someone who gives advice on how not to fall prey to social engineering attacks). As a result, victims reveal a lot more corporate-sensitive information, because they go to the hacker themselves.
This, literally, dirty business, involves inspecting employees' trash cans for printouts and pieces of paper that were not utilized in a paper shredder and may contain sensitive corporate information.
Leaving physical honeypots
The technique involves leaving any portable data storage media that lures employees to run it on corporate computers. Of course, the device would contain malware.
On- and off-site social engineering penetration testing
There is one more technique, called eavesdropping, which can be performed both on- and off-site. It involves an unauthorized listening to staff's communication via VoIP phones using phone traffic interception.
The value of social engineering penetration testing
Social engineering penetration testing will uncover security weaknesses in the following areas:
- Physical security (of the entire building and particularly sensitive areas).
- Corporate security policies connected to proper usage and disposal of sensitive data.
- Employees' security awareness and implementation. You will see whether the staff needs additional security training.