Social Engineering Assessment
Employees play a key role within holistic corporate security. If not all employees act in a security-conscious manner, existing technical security measures can often be nullified. Attackers are increasingly taking advantage of this fact to break into company networks, but also into the company buildings themselves. Attack techniques aimed at employees for this purpose are summarized under the term “social engineering”. Typical examples of this are sneaking into a company or asking for confidential information using a false identity.
The existing employee awareness and responsiveness of a company with regard to real attacks can be assessed using a Social Engineering Assessment. This can be focused on the following two areas::
Assessment of employee awareness and responsiveness to social engineering attacks by simulating targeted and realistic attack scenarios
How effective are existing protection and awareness-raising measures against social engineering attacks?
Personnel or employees and, if applicable, company buildings / premises
Social Engineering Assessment with a focus on physical access controls
From a security perspective, company buildings and offices form the first physical protective layer. The sometimes very complex security measures against unauthorized intrusion can be assessed using special attacks, with human factors playing an essential role.
A corresponding Social Engineering Assessment consists of the following components:
- Analysis of weak points by observing the building (access options, safety precautions, frequentation of people, relevant procedures / processes / defects)
- Optional / project-specific: Creation of a qualified legend (e.g. using fake company IDs, disguise, making appointments under a false identity)
- Unauthorized entry into buildings, e.g. by faking false identities, false facts or tailgating (attaching to authorized employees). The objective within the building must be defined on a project-specific basis, e.g. reaching a certain room, stealing certain documents, access to the computer network, placing a “network bug”
- Marking of the rooms entered as evidence (optional: documentation of the processes using a hidden video camera)
The attack-based assessment can be supplemented by a dedicated Maturity Level Analysis. This is done on the basis of questionnaires and through site visits.
The following parts are assessed:
- Access control
- Admission control
- Surveillance and control
- Other organizational measures
A further deepening of the assessment is possible through a technical test of the building management system and the access control system. Such an assessment comprises the following components:
- Consideration of the system architecture of the central building management with regard to integration into the computer network and evaluation of the resulting risks
- Penetration test of the building management system from the perspective of the local network
- Research into manipulation possibilities (known vulnerabilities) of the respective access control system used (possibly via attempted attacks on the system)
The assessment types described can be combined with one another as required.
Social Engineering Assessment with a focus on information security
In today’s business world, immaterial values, in the form of data and know-how, are of particular importance. These values are subject to special risks in which humans play a major role. Information leaks due to careless behavior or negligent handling of IT systems can lead to major damage.
In terms of a holistic security concept, human factors must therefore also be included in a test. A corresponding Social Engineering Assessment can include various forms:
- Request confidential information by phone or e-mail
- Infiltration of Trojan horses (without malicious functions) using individually designed e-mails and file attachments with the aim of infecting individual client systems by way of example (spear phishing)
- Positioning of manipulated data carriers in the company with the aim of proving access to the data carrier (Road Apple)
The activities described in the area of information security can be combined with an assessment that focuses on physical access control.