Social Engineering addresses non-technical intrusions, which typically result from human action. These services often involve tricking people into breaking normal security procedures.
Social engineering usually involves a deception: trying to gain the confidence of a trusted source by relying on the natural helpfulness of people as well as their weaknesses. Other Social Engineering techniques include eavesdropping, appealing to the target’s vanity or their authority, as well as physical security bypass and searching refuse bins for sensitive information.
The following Social Engineering services are offered as part of our comprehensive Technology Risk Management practice:
Pretexting. Typically done over the phone, it is the act of creating and using an invented scenario to persuade a targeted victim to release information or perform an action. This technique is often used to trick a business into disclosing customer information. For example, calling the helpdesk to reset an account password without verifying the caller.
Phishing. The “phisher” sends an email that appears to come from a legitimate business, such as a bank or credit card company, and requests “verification” of account information. The email usually contains a link to a fraudulent web page that seems legitimate, and contains a form requesting everything from the user’s home address to his or her debit card PIN number.
Dumpster/Trash Can Diving. These techniques are used to retrieve information that could be used to carry out an attack on a computer network. Diving isn’t limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used by an attacker to target victims and gain access to the network.
USB Drops. An engineer will drop multiple USB drives outside of your company. If the USB drives are inserted into a PC, a program will auto run and connect via secure channel to AccessIT Group through an open port. If requested, sensitive account and PC information can be copied and used to attempt to penetrate the internal network.
Mobile Exploits. The act of assessing device security by launching actual attacks designed to run on or against targeted devices. This technique involves replicating email and text-based phishing attacks to determine whether employees would click through to malicious sites and/or install nefarious mobile apps.