Social Engineering

Social Engineering is a technique by which an imposter approaches non-suspecting users in an attempt to extract useful information. The objective of SeNet's Social Engineering inspection is to identify and report on security awareness deficiencies and to allow our customers to focus and improve upon such issues in their employee IT security awareness training programs. SeNet has performed social engineering exercises for multiple clients, each time identifying a number of interesting findings in the time that was allotted. Some common social engineering techniques that we typically perform include:

  • Phishing attempts using spoofed e-mails and fake Web sites tricking legitimate users into assisting with browser and e-mail client based attacks, giving up legitimate authentication credentials, and revealing potentially sensitive information.
  • Attempts to gain any password access using multiple Social Engineering approaches: Authoritative, Impersonation, Intimidation, Ingratiation, Innocuous Questions, Rushing, and Name Dropping. These attempts target the help desk and the Osage operations staff. Tests will be conducted during stated hours of operations.
  • Telephone attempts to obtain or modify the network password of IT staff using multiple Social Engineering approaches: Authoritative, Impersonation, Intimidation, Ingratiation, Innocuous Questions, Rushing, and Name Dropping.
  • Unescorted, un-badged patrols of the halls, measuring time and distance of travel until an inquiry of the tester's presence and a note of what action the inquirers took from acknowledgement of the tester's presence.
  • Unattended presence in an employee cubicle, measuring time until an inquiry of the tester's presence and a note of what action the inquirers took from acknowledgement of provider's presence.
  • Eavesdropping during un-badged patrol of halls and unattended presence in employee cubicle.
  • Unattended, noninvasive accumulation for proprietary data (e.g., post-it notes with passwords) which, if found, will be turned into Security Officer immediately.
  • Approaching staff members in person and soliciting information or assistance (e.g., help in printing a document stored on the tester's CD/USB).

For more information on how we can provide assistance in these types of exercises please contact us.