Social engineering is a method of obtaining data by an attacker on human psychology peculiarities basis.
The main social engineering goal is to gain an access to confidential data, passwords, banking data and other secure customer systems. The current attack vector remains relevant due to the lack of information security awareness among the company’s employees.
Attack vectors:
- phishing is sending letters, messages in instant messengers and corporate chats using phishing websites and/or attachments with payload to gain an access to IP and authorization data;
- vishing is social engineering while using phone calls;
- impersonation – «attacker» impersonates another person (admin, delivery man, security guard, auditor, etc …) in order to scout private data; get an access to IS, ACS, etc; deliver software and/or hardware bookmarks;
- smishing is phishing while using SMS messages and possible number spoofing.
Testing methods:
Social engineering can be used within the external / internal penetration testing (the data obtained from the tests can be used within the external / internal penetration test). The current method implies the legend development, the optimal attack channels choice at the Contractor’s discretion, based on the data obtained at various penetration test stages (the plan is agreed with the Customer before the operation start). Social testing goal is to obtain penetration data to the customer’s target systems.
Social engineering is used as the employees awareness assessment method in information security issues. The employees reaction statistics to various attack scenarios (the attack development is not carried out) will be collected in such a case. The current method implies conducting a socio-technical research in order to determine the customer’s employees reaction to certain influence methods, used by potential attacker.
We enter the data, obtained into the penetration test report. Finally, the Customer gets the users data, who went to the phishing website and entered own data.
