Cybercriminals exploit employee gullibility through social engineering. In this article, we will tell you more about social engineering pen testing techniques and show you what our pen testers can find during a test.
From IBM research shows that 95% of all cybersecurity breaches are due to people's gullibility. Cybercriminals use social engineering techniques to manipulate or persuade employees to give away sensitive company information. How can you protect your employees and data from these techniques? With social engineering penetration testing, you can detect and prevent threats. In this article, we'll tell you more about social engineering pen testing techniques and show you what our pen testers can find during a test.
Social Engineering is a cyber attack in which malicious people take advantage of an employee's trust, in this way trying to gain access to company data or systems. This type of attack relies more on deception of people than technology. Social engineering attacks use psychological tricks to persuade people to intentionally or accidentally break the organization's security protocols. In a successful attack, employees provide details such as names, job titles or even login information.
Pentesters use the same techniques as malicious actors to test employees' awareness of social engineering techniques, with the organization's permission but without employees' knowledge. We discuss those techniques below.
Phishing
Phishing is one of the front-runners among cyber attacks. Malicious people come up with well-designed emails with legitimate attachments that actually turn out to be malicious. In these emails, they misuse current events, account notifications, corporate communications and a sense of urgency as tools to scam people. One malicious email can lead to enormous damage within your company. Phishing tests test employees for opening malicious emails, clicking on links and downloading content or providing data. Spear phishing can also be used, which is a targeted form of phishing where emails are tailored to well-researched victims.
During a social engineering investigation, our pen testers conducted a spear-phishing test. The test was performed on four employees, with one of them unknowingly releasing login credentials. This gave our specialists access to the organization's Office 365 environment, which included passports and Social Security numbers.
Vishing
Vishing attacks involve the employee disclosing data about the company over the phone. This can be various information such as names, financial/personal data or even password resets. During a vishing test, the pen tester attempts to obtain confidential information from staff by phone. This involves testing the level of awareness of the personnel.
In a recent Vishing test, one of our pen testers cleverly took advantage of the helpfulness of a customer service representative. This allowed him to gain unauthorized access to an account and obtain sensitive data. Why do people fall for this? By appealing to people's empathy, malicious people usually know how to get far.
USB Rubber Ducky
A USB Rubber Ducky looks like an ordinary USB stick, but it is actually a very fast little computer that can run pre-programmed commands on a computer. When someone plugs this USB stick into their computer it types preset commands as if it were a real keyboard. Sometimes a malicious person waits for someone to insert the Rubber Ducky into their computer, other times the malicious person does it themselves. With a Rubber Ducky, a pen tester tests how easily he can insert this USB stick into a computer or how easily employees do it themselves.
In a previous test, our pen testers used the USB Rubber Ducky to verify that an organization's employees did lock their computers when they left. The Rubber Ducky provided access to Office 365, which allowed for the acquisition of e-mail addresses, calendars, SharePoint and other company data, among other things.
Mystery guest
In a test with a mystery guest, the pentester attempts to enter an organization's building. The pentester poses, for example, as a mechanic, cleaner or new employee. In this way, insight can be gained into vulnerabilities in the area of (information) security and security awareness. These include unauthorized access to systems and workspaces and careless handling of equipment, information and files on desks.
During a mystery guest test, one of our pentesters infiltrated the organization of one of our clients. While walking through the office, he discovered an abandoned employee's laptop. There he inserted a USB stick with malware, which allowed him to access the organization's internal network.
Prevent?
It is important to be aware that the human factor is an important component in your security strategy. Through social engineering testing, you can measure and reinforce awareness of security risks. Only through a concerted effort of technology and security awareness among employees can you protect your organization's digital environment.
Want to know more about the social engineering techniques that (ethical) hackers exploit? Our specialists will be happy to tell you more!
Contact