Social Engineering

People are... Attracted to bright and shiny things. If it flashes, we like to look at it. If it says "[%] of others have clicked here" we want to figure out what they may have been interested and long to know what they now know.

People are... Human. They make mistakes. We all do. The goal is to make as few mistakes as possible, and do everything we can to avoid making news-making and costly mistakes.

People are... Social. We desire connecting with other people. We want to help others. We want to obtain praise for doing well for our company and well as individuals.

People are... Easily fooled. Even the most ridiculous ploys can convince kind-hearted, well-intending people to do things that security professionals would frown upon.

These four factors make humans the ideal target for persistent, motivated, and well-funded attackers who will do whatever it takes to gain access to the data & information they are after. This breed of attacker may take months or even years to break in, yet when they do, they will likely go undetected by traditional IT security systems and controls due to the inability of standard controls to detect human error.

In the last year, threat vectors, and their success, have changed. The term "Advanced Persistent Threat" (APT) has been utilized to describe a persistent, dedicated attack utilizing whatever means necessary to get in. And these attacks succeed. These attacks make news. And, most importantly, attackers are able to make these attacks profitable. The most successful attacks come by interacting with people and convincing them to take an action that allows the attacker to gain access to legitimate user credentials from which additional reconnaissance and privilege escalation attacks can take place from within.

Ask yourself the following:

  • How well have we trained our people? What success rate would an attacker have if they targeted our users with technologically assisted attacks?
  • Would our employees think twice about evaluating a job posting link sent to them through LinkedIn?
  • Would our employees forward the aforementioned link around internally to help someone find a job?
  • How do we monitor and detect when legitimate user accounts exhibit anomalous activity?

Offering:
Rook social engineering testing evaluates the weakest link in an organization's system of controls - the people, and the ease to which it is possible to convince them to actively or passively divulge information, break policy, or give away legitimate user credentials to an attacker. The social engineering assessment evaluates:

  • Individual contributors' resolve in adhering to policy
  • Effectiveness of the current training & awareness program

Through the following categories of testing:

  • H2H (Human 2 Human) attack vectors
  • T2H (Technology 2 Human) attack vectors
  • HT2H (Technology Assisted Human 2 Human attack vectors)

Detailed information on the three variants provided above are not posted here due to the unique approach and proprietary methodology used to evaluate the results and suggested improvements that go beyond traditional social engineering testing.

Options for on-site and remote testing options are available. Call 888.712.9531 to discuss the right-sized option for your organization.

top

ROCKSTARS WANTED

What's it like to work at Rook? Do you have what it takes to be a Rook Rockstar?




read more


QUICK PICKS


Rook TV


OFFICES

Indianapolis, IN
San Jose, CA

tel
+1 888 712 9531
fax
+1 866 416 6477
email
info@rookconsulting.com