A social engineering assessment is a very important process to understand an organisation’s security exposure. As human beings tend to make errors and are considered the weakest link in any security strategy.
A social engineering assessment can easily identify the key areas that a company would need to address. Hence, it’s imperative that an information security professional designs, organises and carries out a successful assessment.
So, what are some important factors that security professionals must consider when planning this kind of review?
Plan and Organise
The first step is to plan and organise your assessment. Think of the areas that you need to review and how you can measure the security posture of each area in the best possible way. For instance, some potential areas to consider could be:
- Phishing attempts – how employees react when they receive suspicious emails and requests?
- Connecting to the company’s network in authorised areas in plain sight.
- Attempts to enter unauthorised areas unaccompanied (to see the reaction of security personnel and employees).
- Asking for confidential information about the company or employees through emails and phone calls.
After you identify the key areas for your review, create scenarios that may arise. These are especially relevant for physical security mechanisms. Anticipate what may happen in each situation.
Identify Attack Vectors
Next is to identify all the methods you will use during the assessment, with each method linked to certain users. For example:
- Testing security guards by impersonating someone relevant to the organisation.
- Testing security guards by using the tailgating test. This test should involve close monitoring of employees as they enter the building, especially during peak hours when high volumes of employees enter.
- Testing accounting personnel through phishing tests by sending them an email that spoofs an executive’s office and requests to send last six month’s expense reports for review.
- Testing an employee in IT by using an impersonation test. This could include a request by an employee for password reset.
Listing these attack vectors not only help steer the direction of the social engineering assessment but also help the management understand the steps you took during the assessment.
Execute and Report
Here, we will execute the listed vectors in the previous step. Document the response for each of them to support the evidence. This evidence should include phone calls recording, email responses from phishing attacks, and documents collected during dumpster diving activities.
Once you we have all the results, a detailed report will be produced that will include relevant vulnerabilities discovered during the social engineering assessment and the recommendations on how to mitigate them.
Contact Aardwolf Security services to get a comprehensive social engineering assessment for your organisation!