Pratum Blog

Social engineering and penetration testing

Hackers may be getting more credit for their technical prowess than deserved. For many hackers the true talent can be found in their ability to deceive humans. This isn’t a commendable trait, but it is an effective means of obtaining valuable information.

Some of the most successful hackers are simply in tune with the psychological affect their persuasion has on human beings. Social engineering is the process of utilizing human interaction to obtain critical and sensitive information. The understanding of social and psychological behavior can be used to manipulate people into performing actions or providing information they normally would not.

Occasionally, the success of a social engineering attack makes a technical attack unnecessary. Most often though, hackers use social engineering to enhance their attacks and increase the probability of a successful technical attack.

Social engineering is often used to complement penetration testing.

Successful social engineering methods

There are several methods for coercing people into doing what you want, but the following methods have proven most successful for hackers.

Pretexting

Generally, a series of phone calls will be conducted to solicit sensitive information from seemingly helpful employees. Types of information may include the following:

  • Names of clients, along with personal information such as account numbers, medical diagnosis, etc.
  • Login credentials for clients or internal staff
  • Other sensitive information such as vacation schedules, email addresses, internal procedures, etc.

This information is then utilized to carry out additional social engineering attacks and increase the likelihood of their success.

Email Phishing

Phishing is the process of crafting email that appear to be from a trusted source and invite the recipient to either supply confidential information or click on a malicious link.

These attacks can either target the masses, hoping to entice a small percentage of a large population, or can be targeted to a few individuals in a single organization. These targeted attacks are called Spear Phishing.

Dumpster Diving

Even though most organizations have paper disposal policies and provide shred bins for the destruction of sensitive information, much of the sensitive information in paper form still finds its way into the trash.

If not properly discarded, hackers can discover sensitive information in waste receptacles and dumpsters. Typical information that is searched for include:

  • Printed emails, expense reports, credit card receipts, etc.
  • Network or application diagrams, device inventory with IP addressing, etc.
  • Calendar entries, day planners and conference room schedules
  • Notebooks, binders or other work papers containing sensitive information
  • Handwritten notes, sticky notes, etc.

Facility Access

Physical security is the crux of many information security programs. Many organizations rely on a hard exterior “wall” that protects the internal workings of their business. However, many physical and logical controls are weakened or completely ignored in an attempt to foster an efficient work environment. As technical attacks are becoming less successful, hackers are turning to physical attacks. It is important to understand the risks of unauthorized individuals gaining access to physical workplaces.

Methods used during facility access:

  • Piggy backing: A hacker’s method of entering a facility with a group of employees or maintenance workers
  • Identifying unsecure areas: Hackers search for loading docks, maintenance entrances, designated smoking areas or other locations that may not be well secured.

What should we do about it?

Social engineering attacks are on the rise. Employees are being faced with attacks on a daily basis. By understanding how employees respond to these attacks, organizations are able to develop additional training programs and controls to deal with this ever changing threat.

Awareness and training are key in developing a security culture within an organization. Once training has been performed, social engineering testing may commence. Only then will organizations recognize their employees’ understanding of social engineering threats. Once threats are understood, organizations can begin to improve training programs.


Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.