Obtain an accurate understanding of your security and risk posture, while ensuring compliance with industry regulators and information security best practices.
One of the most common forms of social engineering is through the use of email phishing attacks; however, telephone and physical campaigns are also other effective mediums used to influence human reaction. This tactic does not necessarily require technical endeavors. Social engineering attacks single out human nature and emotion, so it is difficult to give this methodology a detailed description. Therefore, Praetorian's guidelines to social engineering are based on broad concepts and principles.
For many organizations, the human element is often the most overlooked attack vector. Ironically, people are typically one of the easiest vulnerabilities to exploit and an attacker needs little more than a smile or email to completely compromise a company. With targeted attacks on the rise, organizations must understand the risk of social engineering based attacks. The purpose of this presentation is to examine common physical, phone, and Internet based attacks. Real world case studies are included and recommendations are provided that will help mitigate this growing threat.
Similar to our security assessments, this methodology begins with target identification and discovery, followed with the actual exploitation. Our principles are applied in a customized approach and tailored to your specific situation. We will work closely with you to setup test scenarios which will provide insight to the effectiveness of your policies and procedures. For example, if you have an incident response procedure to report suspicious telephone calls or behavior, Praetorian will test this with obvious attempts to gain information and access without proper authorization. In addition to testing existing policies and procedures, this method is also a successful way to lay the foundation and knowledge to create an awareness program or to put new policies in place.
A social engineering assessment may include:
Because it is important to determine the level of awareness among your organization's users, Praetorian can emulate a real-world phishing campaign by creating a website similar to what an actual attacker's site would look like. This includes registering a separate domain similar to an internal company website. To give you an accurate reading of the level of security awareness, Praetorian will log the usernames of those who visited the malicious test site and entered their credentials.
For the email-based social engineering attack (phishing), Praetorian consultants would:
Upon completion of the assessment Praetorian shall provide a single electronic report deliverable. The report will provide an analysis of the current state of the assessed security controls. The analysis will identify areas that need to be resolved in order to achieve an adequate level of security. The detailed contents of the deliverable are described below.
The report deliverable will include the following high level sections in a format suitable for management:
The report deliverable will also include the following in-depth analysis and recommendations for technical staff to understand the underlying risks and recommendations:
A publicly traded company requested an evaluation of their physical security controls through social engineering as part of a larger security assessment. The goal of the test was to obtain unauthorized access to critical areas such as the network operations center and the data center. Praetorian was given no prior knowledge or access before the test began.
Praetorian began by first evaluating the strength of the company's primary access point where the receptionist desk was located by simply walking-in, taking a seat in the waiting area, and observing foot traffic. Praetorian noted HID badges were the primary method of physical authentication for employees, but given the layout of the main access point piggy backing would be too difficult.
The Praetorian consultant returned the next day wearing a blank HID badge and obtained access to the interior of the building using a side entrance. Using fire exit signs Praetorian was able to determine the layout and naming conventions of building areas in addition to being able to access all non-restricted areas by simply tailgating employees.
For the next three days Praetorian entered the building through the side entrance and exited through the main entrance. In an effort to build rapport with the receptionists he said goodbye each day and made extra time to chat with her. On the 4th day Praetorian entered through the main entrance and told the receptionist, who now recognized him, he had just started that very week and his manager had given him a temporary badge that didn't work until his new badge was ready. The consultant complained that the process was taking too long and becoming a bit of an inconvenience and asked where badges were made. The helpful receptionist provided the company name for the security desk and the area where it was located and allowed the consultant to enter without a badge. After returning from lunch, the consultant asked the receptionist for the extension of the security desk which the receptionist provided on a post-it note.
The consultant then utilized unauthenticated access to the company's online directory and mapped the extension to the full number (including area code) of the security desk. He then identified an IT manager's phone number through the sales site Jigsaw, used that number to spoof the caller ID at the security desk, and convinced the security staff they were speaking with the IT manager. As the "IT Manager", the consultant requested a badge for a new contractor with access to all IT areas including the targeted critical areas. The consultant also told the security staff that the contractor would arrive unaccompanied since the manager would be tied up in meetings. When the consultant arrived to obtain his badge he was not required to give any forms of identification and presented himself as Bruce Banner. A badge was created with escalated privileges and the consultant was able to buzz himself into the Network Operations Center and Data Center with his new badge.
The resulting report demonstrated glaring weaknesses in the company's physical security processes and provided recommendations for mitigation.