What is social engineering?
Social engineering penetration tests are designed to test employees’ adherence to the security policies and practices defined by the management team.
Social engineering is the act of gaining access to buildings, systems or data by exploiting human psychology, rather than using technical hacking techniques. Instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging their password.
IT Governance’s social engineering penetration tests are designed to test your employees’ security consciousness through personal contact. Our team will attempt to persuade them to provide confidential information.
Did you know?
Verizon’s 2018 Data Breach Investigations Report found that 17% of breaches are the result of social engineering attacks. This is a sizeable proportion, and every organisation is a target.
Educating employees about how these attacks are carried out and having the controls in place to mitigate them are critical. A social engineering penetration test provides a basis from which to highlight issues with operating procedures and to develop targeted training.
The benefits of a social engineering penetration test
Our social engineering penetration test will help you:
- Establish the information that an attacker could obtain about your organisation that is freely available in the public domain;
- Establish how susceptible your employees are to social engineering attacks;
- Determine the effectiveness of your information security policy and your cyber security controls to identify and prevent social engineering attacks; and
- Develop a targeted awareness training programme.
Is a social engineering penetration test right for you?
If you are responsible for your organisation’s information security, you should ask yourself:
- What information about your organisation is publicly available that could be used to create social engineering attacks?
- Are staff vulnerable to phishing and other forms of social engineering?
- Could a social engineer gain unauthorised access to offices and site locations by exploiting weak security measures?
- Could an attacker gain access to sensitive information from mislaid documentation?
- What information could be obtained by someone taking hardware off-site?
Our engagement process
Our CREST-accredited penetration testers follow an established methodology to help model your real threats and provide actionable recommendations. This approach will emulate the techniques of an attacker using many of the same readily available tools.
- Scoping: Before testing, our consultancy team will discuss your social engineering assessment requirements to define the scope of the test.
- Reconnaissance: Our social engineering team uses a variety of intelligence-gathering techniques to collect information from public sources about your organisation.
- Assessment: Our social engineering team attempts to gain access to the systems and/or buildings that hold the target information defined by you.
- Reporting: The test results will be fully analysed by an IT Governance certified tester and a full report will be prepared for you that sets out the scope of the test, the methodology used and the risks identified
- Workshop: Our team can also run a workshop that will help your employees identify and respond to the cyber threats conducted during the exercise.
Our penetration tests comply with the Microsoft Rules of Engagement
For Azure clients, this means we take care to limit all penetration tests to your assets, thereby avoiding unintended consequences to your customers or your infrastructure
“IT Governance combines the delivery of real insights with a cost-effective service.”
Ian Kilpatrick, Group Information Security Officer at Collinson Group.