Penetration Testing: Social Engineering
Social Engineering is a sub-class of penetration testing that focuses on identifying and validating vulnerabilities associated with your employees ability to follow documented policies and procedures and security best practices.
Real-World Social Engineering Stories
- A Redspin engineer was on the phone with "Jane," pretending to be "Joe, the IT guy" and asking her to change her password to one that he chose. Then customer-friendly Jane offered, "As long as I'm here, would you like me to change the password on all the other workstations?" How could we refuse?
- As soon as our engineer started in on his social engineering script — "Hi, I'm working with Jack over in IT, and..." — the person on the other end of the line said, "Is this a social engineering call?" and hung up on us. This is exactly what we hope to see!
- While doing an email social engineering test we sent a link to a new web-based email system supposedly set up by IT. It was really just a malicious page that was designed to steal user credentials. We felt bad when we got the following response from an employee:
Remote Social Engineering Testing
Onsite Social Engineering Testing
"Cybersecurity experts say a would-be thief is just a likely to gain access to company data by persuading an employee to hold open a locked office door."
- The Wall Street Journal