The Redspin Social Engineering Assessment program helped us better understand the risk we face from attacks directed at our employees and partners."

Redspin Customer

Overview Penetration Testing (Infrastructure) Policies and Controls Testing Application Penetration Testing Social Engineering

Remote

Onsite

Enterprise Solution

Request more information

Call us at 1-800-721-9177

Chat (we're super friendly) Email us Read our blog

Remote Social Engineering Testing

Redspin's Social Engineering Security Assessment reviews and evaluates user awareness of specific information security policies and procedures. The primary goals of this assessment are to:

Provide management with an understanding of the level of risk introduced by end users.

Provide recommendations and details to facilitate a cost-effective and targeted mitigation approach.

Create a basis for future decisions regarding information security strategy and resource allocation.

What are some of the questions a Social Engineering Security Assessment answers?

How easy is it to illicit sensitive information from end users?
How effective is our information security training and awareness program?
Which department is most vulnerable to social engineering?
How can we measure employee's retention of our information security policies?
How do we compare to other companies?

Scope

Redspin's remote social engineering techniques include:

Email — Users are engaged remotely via email and tested if they will interact with untrusted links, websites, or requests. Sensitive information will also be requested.
Telephone — Users are engaged remotely via the telephone and are tested if they will disclose sensitive information such as their passwords.

The specific attacks selected for this engagement are based upon the specific needs and requirements of each client.

Performing this scope on a regular basis will also help address specific regulatory requirements, such as FFIEC/GLBA, HIPAA/HITECH, PCI DSS, and NERC.

Methodology

For Email-based Social Engineering, Redspin requests the client provide a list of email addresses to be tested. A custom email will be crafted and sent using a spoofed source email address to each employee. The email message will encourage the user to perform a variety of non-secure activities such as clicking on a link or visiting an unauthorized website. The activity is recorded and presented. For an additional fee, the client can choose not to provide a list of email addresses and Redspin will find all email addresses publicly available.

For Telephone-based Social Engineering, Redspin requests the client provide names and telephone numbers of enough employees so that sample employees can be contacted and persuaded to compromise their password. We have found a limited number contacts are usually enough to gauge the effectiveness of training throughout the organization.