The term “Social Engineer” was popularised by Kevin Mitnick in the early 90’s however, these techniques have been around for as long as humans have been.
Generally speaking, social engineering attacks are the platform for the majority of breaches. According to a report by Cofense, social engineering scams stole over £4 billion worldwide from 2013-2016 cofense
Data suggests that only about 3% of malware attempts to exploit an exclusively technical flaw. The other 97% instead targets people directly through social engineering.
In some cases, attacks are meticulously planned to gain access to the information they want for any host of nefarious reasons. Creating complex pretexts involving full social media personas, with backstories and friends they communicate with. Simply to gain access to some information that would seem trivial at first, such as an employee’s email signature.
KEVIN MITNICK
Then switching to another persona, one of an employee they have identified using open source intelligence gathering techniques.
Finding as much information on the employee as possible utilising public resources such as popular social media portals (Linkedin, Facebook, Instagram). All in an attempt to try understanding this character and identify whom this person may communicate with (colleagues), then mimic them via yet another email.
Social engineering is one of the most common vectors for compromise, this proves true for malware delivery, account compromises and CEO Fraud.
Using similar techniques as the threat actors, Laneden can present the risks associated with social engineering, whether that be phishing or trying to manipulate your employees over the phone to gain access to your network or accounts.
Laneden can provide an on-site debriefing of the all findings explaining how attackers could potentially gain control of your systems and/or exfiltrate data.
A comprehensive report is collated containing an executive summary which is consumable by anyone in the organisation regardless of their technical background. Along with enough detail to allow you to not only understand the attacks but also concise and clear guidance on how to remediate relevant concerns, and help your employees identify future social engineering attempts.
Using a combination of automated and manual testing, our consultants will conduct a thorough assessment of your infrastructure, identifying vulnerabilities that may be exploitable by both authenticated and unauthenticated users across your network.
The use of automated tools and in-depth knowledge of manual testing allows us to accurately and effectively assess your infrastructure, maximising the time available.
Assessments are conducted in line with the current standards and methodologies utilised in the industry, such as those outlined in the Penetration Testing Execution Standard (PTES). Using PTES as guidance, Laneden defines our approach in six phases:
- Pre-engagement
- Intelligence Gathering
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Our consultants engage with the client to discuss the scope and make certain all is in order prior to the assessment beginning
Communications at the beginning and end of each assessment day, confirming either the assessment is starting or ending for the day.
On-going communications from the engaged engineer, highlighting any major issues as they come across them.
A comprehensive report is provided containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.
Clear and concise information describing each issue to hand.
Technical references will be provided when relevant, allowing you to gather more information on the vulnerability if required.
Each vulnerability will be put into context and given a risk-based score. Utilising CVSS 3 scoring and relevant context you can get a real picture for each associated risk.
Simple remediation advice, advising what is required to remediate the relevant vulnerability.
FREQUENTLY ASKED QUESTIONS
A “Social Engineer” is a person that uses psychological manipulation to gain an advantage, to trick people into making decisions that work in their favour.
Social Engineering is the practice of these techniques, most notably using vectors such as phishing, remote telephone attacks and physical access.
Social Engineering is a broad term and can come in many forms.
From an email from your CEO asking for quick action on a payment to a phone call to your IT helpdesk from a user troubled with login issues, to someone physically standing in your reception proclaiming to be an IT contractor attempting to gain access into restricted areas such as server rooms or someone’s computer system.
The most common forms are emails and phone calls—these alone cost businesses millions of pounds each year in losses, brand damage, fines and working hours.
Emails tend to be from a sender that you would seem to recognise or as a credible request.
They tend to contain either instruction to carry out a task or some other action, along with a time concentrate such as urgently needing to send a payment or login to a portal using a link provided in the email.
Phone calls in many cases are to a helpdesk or service desk someone that is used to helping callers, with the guise of a particular staff member looking to get a network account password reset. In an attempt to gain access to your corporate network.
It all sounds very damming; however, it is not the end of the world, just yet.
Employees given the right guidance can learn to recognise cues and traits, seeing through most manipulation attempts. The best defence against social engineering attacks is the very people they target.
If we can teach our employees what to look for, they can see through the facade and raise the alarm bells to a potential attack. Halting it in its tracks before it turns into a breach, brand damage and potential regulatory fines.