• Home > Services > IT Risk Management > IT Security > Social Engineering

    Social Engineering

    Analyze and Improve the Effectiveness of Your IT Security Education, Awareness and Training Programs

Social Engineering

Social Engineering and Your Business

The essence of social engineering is fairly simple—threat agents directly or indirectly trick users into voluntarily doing something that they shouldn’t.

This isn’t a problem companies can afford to overlook.  Research has indicated that social engineering attacks happen frequently and can have significant loss ramifications.  At the same time, studies reveal that most corporate employees are woefully unequipped to withstand the average social engineering attack.

What is Social Engineering?

During a social engineering attack, deceptive tactics are used to coerce a target company’s employees into disclosing sensitive information, or into providing access to systems that contain sensitive data.

Methods can range from using targeted phishing emails and landing pages to collect information, or using email attachments that exploit known vulnerabilities in order to install unauthorized software (malware) on the employees’ computer. The most common methods include malicious code, malware, denial of service, viruses, phishing, and Web-based attacks.

Other methods are as basic as a phone call or onsite visit.  In fact, Defcon, one of the large information security conferences, runs an annual contest to see which team can get employees from large enterprises to divulge the most potentially sensitive information. Since their goal is to educate—not harm—Defcon social engineering teams only use the telephone.

In a real social engineering attack, unfriendly outsiders don’t respect the same limits as Defcon contest participants.  For example:

  • A social engineer may threaten your employees or put them on the defensive by making them think they are being investigated for wrongdoing
  • The social engineer will often monitor the social media postings of company employees for useful data
  • They may even “dumpster dive” to find improperly-discarded sensitive company data

Loss of customer data in itself poses a problem, and may need to be reported by law. Worse yet, customer records may also contain additional information such as store or employee numbers that can be used to make a secondary attack sound much more plausible. For instance, someone may pose as the manager of another branch and call asking a question about procedure. The answer to that question may make further impersonation

Protecting Your Business from Social Engineering Attacks

Our social engineering services include direct and indirect assessments such as passive Internet reconnaissance, phone-based persuasion campaigns and targeted phishing attacks

Our Social Engineering Services

We leverage a variety of techniques and tools that help you understand your company’s susceptibility to misrepresentation or deception, assess the depth of the issue, and provide strategies and employee training to protect your company from social engineering attacks in the future.

IT Security Program Evaluation We’ll conduct a thorough review of your current security program to measure its effectiveness. We’ll perform sensitive document handling audits (including dumpster diving) and physical security assessments to help you understand how your employees handle and dispose of personal and sensitive information.  In addition, we’ll document our findings and identify opportunities for improvement.
Social Engineering Attack
  • We’ll enumerate the level of trust obtained through non-technical manipulation of employees. We’ll conduct phone-based persuasion attacks that utilize impersonation, insinuation, conformity, diffusion of responsibility, and friendliness.  We’ll conduct passive Internet reconnaissance and launch targeted phishing attacks.
  • From these activities we’ll identify probable weakest marks (targets) and document the areas of exposure and opportunity for improvement.
Social Engineering Training and Education
  • We’ll help you develop effective awareness, training and education strategies and programs that can provide a first line of defense against social engineering attacks.
Security Policy Development and Review. We’ll develop an information security policy that will help to educate your employees regarding social engineering attacks, while providing guidance on how to handle and protect sensitive data going forward.

Your Social Engineering Services Partner

Our Information Security consultants have knowledge and experience conducting a variety of social engineering assessments.  Leverage our experience and knowledge to protect your business from social engineering attacks.  Contact Oxford Consulting Group today.