Social engineering

Social engineering

Our experts have lots of experience with verifying and evaluating the level of awareness of information security of employees by means of email campaigns with a fake testing code, media distributions (USB, CD/DVD, etc.) with this code, or via manipulative phone calls to approved respondents.

 

Our story
Better to experience once than be trained ten times.

One company from the field of financial consulting needed to test their employees to see if they could handle cyber attacks. These employees had already passed several security trainings, and the test was intended to find out if these trainings were effective.

At AEC we prepared a three-step test using social engineering methods. It included sending the simulated malware via e-mail, attempts of eliciting sensitive information by phone and email, as well as the physical penetration of the selected localities along with planted simulated harmful code on data storage devices. The entire test took approximately two months.

We managed to get the prepared malware into the computers of 28% of the tested employees. Three out of four users gave us their login information over the phone during the first phase. The IT department reacted to this, not knowing about the testing, by warning others and blocking the line from which the attacker was calling. So the test's continuation was not successful. Regardless, several internal documents were gained via email from other users. It wasn't for nothing… it is said “better to experience once than be trained ten times”.

Tests by social engineering methods

The goal is to make the tested person to reveal certain information (typically login, password), or carry out a certain activity (typically launch the virus).

Testing methods:

  • By email – tested persons are sent an email, for example containing some jokes together with the infected file including the testing code attached.
  • By phone – the tested persons are called using various alibis, e.g. that their PC is spreading a virus.
  • Physical – attempts to penetrate the company's protected area beyond the reception desk, a door with a card sensor, etc. Spreading the infected data media in the workplace.

 

 

Our services’ benefits

Thanks to tests by social engineering methods and researching social networks, the client gains a realistic idea about what the employees are capable of and what risk they represent. The client gets a rationale for setting up security rules, e.g. for trainings, etc. The tests' realization alone generally increases security awareness of the company's employees (they become the subject of discussion, etc.).

Promotion of security, information security workshops, and implementation into security documentation will bring about the establishment of duties and responsibilities of the company's IS users. All the employees will know the factual responsibilities and duties when working with the IS. The information security awareness of the users will increase. The risks of the data leaks, e.g. through email communication etc. will decrease. The absolute power of the administrators and trustees will be limited. The importance of the security manager's role will rise.

 

 

References

We have lots of experience with project implementation for important companies in their branches, e.g.:
  • ING Management Services, s.r.o
  • Komerční pojišťovna, a.s.
  • ČEZ ENERGOSERVIS, spol. s r.o.
  • Ministerstvo práce a sociálních věcí ČR
  • Městský úřad Tábor