In today’s world, social engineering is one of the most commonly used vectors by attackers to gain access to a company’s physical location and/or sensitive data. Many organizations believe their yearly security awareness trainings are enough to warn their employees of these type of attacks – but, how do they really know if they are effectively working?
Aspire Tech’s social engineering team continuously evolves and adapts to changing threats
Here at Aspire Tech, we launch realistic social engineering campaigns to evaluate how employees will react to social engineering attacks. Aspire Tech begins social engineering assessments with open-source intelligence gathering to create customized real-world attacks.
Social Engineering Introduction
Today, social engineering techniques are more sophisticated and effective than ever before. Attacks on human networks are personal, evolving, and relentless. This combination of technology, psychology, and innovation has become an extremely popular and effective way of breaching security and gaining access to sensitive data.
Aspire Tech’s Social Engineering Assessments will help clients answer the following questions:
- How susceptible is our company to social engineering attacks?
- Are our physical security controls working against an onsite attacker?
- Are our email filters catching targeted phishing emails?
- How effective is our security awareness training?
Social Engineering Framework
Aspire Tech’s Social Engineering Framework consists of three categories: Test, Identify and Secure. This framework should be implemented yearly in order for clients to see if they are improving or need to take further actions.
Identify:Identify information which is deemed to be of value and to be the focus of the OSINT phase. These items are typically sensitive or proprietary to company operations.
Collection:Gather bulk information based on input from the Identify Phase by utilizing only free, open source channels. The collection phase utilizes both automated and manual discovery processes.
Analysis:All collected information is manually inspected in detail for possible disclosure of sensitive information requested during the Identify Phase.
Documentation:Once information is found and analyzed, every finding is documented in a prioritized list. Aspire Tech includes this list along with recommendations in the final report.
Social Engineering Scope
Each of Aspire Tech’s Social Engineering Assessments are broken down into either black box or white box methods. These style of assessment approaches are designed to give clients two different options for level of effort.
In a black box style assessment, the social engineer begins the assessment with no prior information from the client, in order to see what types of intelligence (OSINT) they can find online. For these campaigns, the social engineer will gather E-mail addresses, phone numbers and information about the physical security controls to develop custom attack vectors.
Benefits of black box assessments:
- More realistic – Aspire Tech’s social engineers see what they can find without guidance of client
- Best method to simulate outside threats
During white box assessments the client provides the targets they wish to be tested, such as: phone numbers (Vishing), E-mail addresses (Phishing), and locations (Physical).
Benefits of white box assessments:
- Client controls what information and which employees they want assessed
- Best method to simulate insider threats
OSINT (Open-Source Intelligence Gathering)
Attackers utilize OSINT gathering tactics against companies to search for information that could be found in job postings, employee social media accounts, or even third party associations. Once intelligence is collected, they leverage it to create social engineering campaigns. Aspire Tech utilizes the same tactics to gather intelligence.
Phishing:Phishing has been the starting point of many data breaches. It is imperative that companies are continuously training and testing for this style of attack. Our Phishing Assessments test what percentage of client employees will pass or fail to a phishing campaign.
Vishing:Vishing (known as voice phishing) is eliciting sensitive information via the phone. Aspire Tech utilizes multiple approaches to gain information, such as spoofing phone numbers and impersonation, just as a malicious actor would.
Physical:A Physical Assessment can validate clients’ physical security controls in place and company policies, or show them areas that need improvement.
Physical security controls, which Aspire Tech will assess:
- Video surveillance
- Security guards
Company policies that may be tested:
- No tailgating policies
- Question visitors who are not wearing guest badges
- Dumpster diving
- USB Drops