Social Engineering Information
Social Engineering is a distinct and far less technical form of penetration testing that emulates the activities of a malicious user and the variety of techniques used to gain information that further aides or eases the progress of their attack.
As Social Engineering attacks are generally used to test the effectiveness of the Security Awareness program the tests utilized are often unique to the engagement. Where possible, targeting of specific techniques that test the effectiveness of the Security Awareness program is most beneficial.
- Pre-Texting
- Baiting
- Phishing
- Vishing
- Quid-Pro Quo Techniques
- Cubicle Surfing
- Dumpster Diving
Social Engineering Options
Dependent upon client objectives we may employ various Social Engineering techniques aligned with said objectives, for example:
Pre-Texting
- Calls as a client administrator to a client employee regarding their inappropriate access to a business critical system with the goal of gaining a password as a means to exonerate themselves.
- Calls as a rushed high ranking client employee to the client helpdesk requesting a password reset.
- Impersonating a service technician for a printer servicing vendor to gain unauthorized access and hide a wireless hub and wireless access point behind a printer to allow wireless access from outside the facility.
- Impersonating a fire inspector (or exterminator) to gain access to wiring closets/data centers.
Baiting
- Making the receipt of a “Girls Gone Wild” DVD via UPS look like a mistake, with the DVD loaded with a backdoor that executes on loading.
- Leaving a CD labeled “Q2 Payroll Calculations.xls” in a conference room loaded with a backdoor that executes on loading.
- Sending a “sweepstakes email” that requires a valid address and a password to validate their identity should a prize claim be necessary (many people use the same passwords over and over again).
Phishing
- Spoofing an email (or IM) from the Domain Administrator indicating that an emergency change of password is necessary and including a link to a malicious client branded website on which they execute the change.
Vishing
- Voice over IP (VOIP) telephony opens doors to malicious attackers. Vishing is expected to have a much higher success rate than other phishing vectors because telephone systems have a much longer record of trust than Internet-based messaging.
Quid-Pro Quo Techniques
Cubicle Surfing
- As a member of the janitorial crew or as a job applicant looking for the bathroom, rifling cubicles/offices to gain information to advance knowledge and leverage in escalating social engineering scenarios
Dumpster Diving
- Information Diving which s the process of obtaining potentially sensitive and useful information (e.g., credit card numbers, employee HR data, intellectual property, network diagrams) This data can be gathered from either ‘traditional’ business communications vehicles (e.g., letters, memos, faxes) or via to discarded technology (e.g., computers, hard drives, smart phones).
