Penetration Testing – Debunked! – 3/3

Penetration testing CTRL Group

In this final blog, you will understand what Social Engineering is and the importance of performing Social Engineering Exercises.

What is Social Engineering?

So you’ve done all the appropriate penetration testing and remediation. You also have an External Security Operations Center integrated into your business. Your business is safe now, right? Wrong.

Penetration Testing is performed against Technical Infrastructure. It does not protect a business from physical breaches, or staff negligence. This is where Social Engineering Testing comes in.

Social Engineering is the deception to manipulate individuals into divulging confidential information. This can be done through multiple ways:

  • Email Phishing Attacks – Sending fraudulent enticing emails in an attempt to bait staff to clicking on links which will unknowingly extract sensitive information or install hidden viruses.
  • Phone / Vishing Attacks – Calling business employees disguised as authorized personnel in an attempt to gain remote access to their computers or extract sensitive information.
  • Onsite Attacks – Attempting to infiltrate the company office and to gain physical access to secured areas without oversight.

The above attacks can often be a much easier avenue for attackers as opposed to penetrating technical infrastructure. They are also becoming more common, Microsoft reported an increase in Phishing attacks of 250% from Jan-Dec 2018.

Staff training for Email and Phone related attacks should be integrated as part of onboarding and development processes. The cost of staff training is much cheaper than the reputational damage and regulatory fines that come from data breaches.

Onsite security controls should be continuously reviewed. You have to ask yourself, is it possible for someone off the street to walk into staff-only areas? Could they tail behind legitimate staff? Could they freely walk the office without being questioned?

Social Engineering threats are often outside the Technical Security Teams scope; however, these are all avenues that attackers may utilize. A business that cares about securing their information will continuously educate their staff, have strict physical security controls and most importantly – get these regularly tested.

Conclusion:

A great Security Testing company will provide full-suite penetration testing services. Next time you are considering a penetration test, remember to have your company tested against Social Engineering Attacks.