Social Engineering

As our society becomes more dependent on information, the value of that information increases, not only to the businesses who own it, but to the criminals who wish to gain profit from stealing it. It is believed by many security experts that social engineering will remain the greatest threat to any security system.

Social engineering is a term that describes the non-technical intrusion into your business environment that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional "con games" where one person is duped because they are naturally trusting, social engineers will use any technique to gain unauthorized information. Social engineering techniques include everything from phone calls with urgent requests to people with administrative privileges to viruses lurking behind email messages that attempt to lure the user into opening the attachments.

The results of a recent SearchSecurity.com news poll indicate that:

• 34% of the respondents fear manipulative email attachments;
• 33% worry about weak passwords;
• 23% dread phone scams;
• 10% are concerned about dumpster diving;

Rapid7 offers security consulting to help your organization identify social engineering weaknesses and then train your employees to help them become more conscientious of network security. The following are the types of social engineering testing we can provide:

External Social Engineering

• Passive Internet Reconnaissance - Using publicly available sources, such as Web sites, search engines, and DNS records, Rapid7 will gather all relevant information such as employee names, titles, phone numbers, and email addresses about the company and employees available on the Internet. This information will be useful when conducting more active social engineering testing.
• External Social Engineering - Rapid7 will perform Social Engineering phone calls to individuals within the organization. Targets will include individuals from the help desk, IT department, human resources, finance, and other departments within the organization. The objective of these calls will be to induce the users to divulge sensitive information over the phone in violation of company policy.
• Targeted Email “Phishing” Attacks - Emails will be sent to individuals and groups within the organization in order to attempt to entice the user to click on an external link that will either attempt to gather sensitive information or deliver a malicious payload onto their desktop system which could include browser and operating system buffer overflows, trojan horses and keystroke loggers.

Internal Social Engineering and Physical Security Assessment

• Malicious Portable Media - USB Flash drives and CD-ROMs with enticing labels such as “Payroll” will be left in public areas such as hallways, restrooms, and break rooms. The media will contain simulated malicious code that will attempt to grab sensitive host information such as the network configuration, list of running processes, and a password hash dump. This information will be posted back via HTTPS to a Rapid7 controlled server.
• Sensitive Document Disposal Audit – "Dumpster Diving" - Rapid7 will search internal trash receptacles and external dumpster and disposal areas for sensitive documents and flash, magnetic or optical media that is disposed of in violation of company policy.
• Physical Security Assessment - High level assessment of physical security controls including:
  • Building Access Control
  • Access Controls Around IT Assets
  • LAN Jack Access Controls

Contact us to find out how Rapid7 can help you develop security best practices for your enterprise network.