Social engineering is a type of deception technique used to manipulate individuals into divulging confidential information. This can be done through multiple ways.
- Email Phishing Attacks – Sending fraudulent enticing emails in an attempt to bait staff into clicking on links that will unknowingly extract sensitive information or install hidden viruses.
- Phone / Vishing Attacks – Calling business employees disguised as authorised personnel in an attempt to gain remote access to their computers or extract sensitive information.
- Onsite Attacks – Attempting to infiltrate the company office and to gain physical access to secured areas without oversight.
The above attacks can often be a much easier avenue for attackers as opposed to penetration technical infrastructure.
It is important to note that penetration testing is performed against Technical Infrastructure. It does not protect a business from physical breaches, or staff negligence. Therefore, staff members are both the first and last line of defence at any organisation.
Staff training for Email and Phone related attacks should be integrated as part of onboarding and development processes. The cost of staff training is much cheaper than the reputational damage and regulatory fines that come from data breaches.
Onsite security controls should be continuously reviewed. You have to ask yourself, is it possible for someone off the street to walk into staff-only areas? Could they tail behind legitimate staff? Could they freely walk the office without being questioned?
Social Engineering threats are often outside the Technical Security Teams’ scope; however, these are all avenues that attackers may utilize. A business that cares about securing their information will continuously educate their staff, have strict physical security controls and most importantly – get these regularly tested.
A great Security Testing company will provide full-suite penetration testing services. Next time you are considering a penetration test, remember to have your company tested against Social Engineering Attacks.