Social Engineering Testing
Social engineering is a term used to describe a tactic used by con artists and hackers which entails approaching individuals either on-line, in person or over the phone in an effort to manipulate their target into divulging key information about an organization or another individual. The information can be passwords, social security numbers, account numbers and any other confidential data which can be used to break into a computer network or to assume someone else’s identity. The information could be as simple as finding out what kind of software is being used, or the name of the IT department manager. Perpetrators can pose as coworkers, IT staff or repairmen or even police officers. The purpose of their scam is to appear to be a legitimate “need-to-know” authority in need of confidential information.
In order to not fall victim to these ruses, it is important for employees to always be suspicious and question anyone trying to gain confidential information. Scam artists will often create scenarios of great urgency which would create a greater likelihood that the victim will reveal confidential information. Often an authoritative tone and a few legitimate responses (often data gathered from previous social engineering scams) is all that is needed. The creation and utilization of these scenarios is called pretexting.
Social engineering testing is a tool that can be used in conjunction with internal and external network breach testing, penetration testing, wireless network security testing, etc. In cases where an organization’s IT network has occurred and theft of confidential customer information has occurred, it is key that all facets of IT security testing is performed. This includes ensuring employees are properly trained to avoid becoming victims of social engineering and pretexting.
Social engineering testing will include phone calls to key staff in the:
- Accounting Department in an attempt to manipulate the individual into divulging customer information such as account numbers, names, addresses, phone numbers, social security number, most recent billings, account balances, etc. This information could be used to impersonate someone else and make a more convincing argument to a manager. Or the social security number can be used in identity theft.
- IT Department in an attempt to gain key information about the IT network including usernames passwords, hardware and software information, names of key personnel etc. This information could be used by a skilled hacker to access the organizations IT network to set up spyware or malicious programs
Social engineering testing may also include phishing attacks directed at employees which will entice them to click on an external link that will attempt to collect confidential information. Or the external link may deliver malicious programs including Trojan horses and keystroke loggers.
Proper assessment of IT security must include the human factor. All of the internal and external breach testing in the world will not protect against one employee being tricked into revealing confidential and key information that would give hackers entry into an organizations IT network. A complete assessment of an organizations IT security must be performed and employees must be thoroughly trained so that they do not fall victim to skilled con artists.
