Social Engineering Testing

In today’s world, social engineering is one of the most commonly used vectors by attackers to gain access to a company’s physical location and/or sensitive data. Many organizations believe their yearly security awareness trainings are enough to warn their employees of these type of attacks – but, how do they really know if they are effectively working?

Aspire Tech’s social engineering team continuously evolves and adapts to changing threats

Here at Aspire Tech, we launch realistic social engineering campaigns to evaluate how employees will react to social engineering attacks. Aspire Tech begins social engineering assessments with open-source intelligence gathering to create customized real-world attacks.

Social Engineering Introduction

Today, social engineering techniques are more sophisticated and effective than ever before. Attacks on human networks are personal, evolving, and relentless. This combination of technology, psychology, and innovation has become an extremely popular and effective way of breaching security and gaining access to sensitive data.

Aspire Tech’s Social Engineering Assessments will help clients answer the following questions:

  • How susceptible is our company to social engineering attacks?
  • Are our physical security controls working against an onsite attacker?
  • Are our email filters catching targeted phishing emails?
  • How effective is our security awareness training?

Social Engineering Framework

Aspire Tech’s Social Engineering Framework consists of three categories: Test, Identify and Secure. This framework should be implemented yearly in order for clients to see if they are improving or need to take further actions.

Aspire Tech-social-engineering-phases

Identify:Identify information which is deemed to be of value and to be the focus of the OSINT phase. These items are typically sensitive or proprietary to company operations.

Collection:Gather bulk information based on input from the Identify Phase by utilizing only free, open source channels. The collection phase utilizes both automated and manual discovery processes.

Analysis:All collected information is manually inspected in detail for possible disclosure of sensitive information requested during the Identify Phase.

Documentation:Once information is found and analyzed, every finding is documented in a prioritized list. Aspire Tech includes this list along with recommendations in the final report.

Social Engineering Scope

Assessment Approaches

Each of Aspire Tech’s Social Engineering Assessments are broken down into either black box or white box methods. These style of assessment approaches are designed to give clients two different options for level of effort.

Black Box

In a black box style assessment, the social engineer begins the assessment with no prior information from the client, in order to see what types of intelligence (OSINT) they can find online. For these campaigns, the social engineer will gather E-mail addresses, phone numbers and information about the physical security controls to develop custom attack vectors.

Benefits of black box assessments:

  • More realistic – Aspire Tech’s social engineers see what they can find without guidance of client
  • Best method to simulate outside threats

White Box:

During white box assessments the client provides the targets they wish to be tested, such as: phone numbers (Vishing), E-mail addresses (Phishing), and locations (Physical).

Benefits of white box assessments:

  • Client controls what information and which employees they want assessed
  • Best method to simulate insider threats

OSINT (Open-Source Intelligence Gathering)

Attackers utilize OSINT gathering tactics against companies to search for information that could be found in job postings, employee social media accounts, or even third party associations. Once intelligence is collected, they leverage it to create social engineering campaigns. Aspire Tech utilizes the same tactics to gather intelligence.

Phishing:Phishing has been the starting point of many data breaches. It is imperative that companies are continuously training and testing for this style of attack. Our Phishing Assessments test what percentage of client employees will pass or fail to a phishing campaign.

Vishing:Vishing (known as voice phishing) is eliciting sensitive information via the phone. Aspire Tech utilizes multiple approaches to gain information, such as spoofing phone numbers and impersonation, just as a malicious actor would.

Physical:A Physical Assessment can validate clients’ physical security controls in place and company policies, or show them areas that need improvement.

Physical security controls, which Aspire Tech will assess:

  • Video surveillance
  • Security guards
  • Locks

Company policies that may be tested:

  • No tailgating policies
  • Question visitors who are not wearing guest badges
  • Dumpster diving
  • USB Drops

Copyright © 2021 Aspire Tech, All rights reserved.