I am often asked about social engineering during penetration tests. This is an attack method in which people are unknowingly enticed to disclose information or to support the attacker in his plan. In the preparation phase, the company’s website and possibly existing profiles on various social platforms (e.g. XING, LinkedIn or Facebook) are queried to define corresponding target persons and to determine as much information as possible about these persons (e.g. function, responsibilities, hobbies). Subsequently, attempts are made to elicit information from these persons or to induce them to perform actions in order to gain unauthorized access to data or IT applications. It is also important to mention here that these tests must be agreed upon with the works council.
How does a social engineering attack work?
This can be achieved by sending emails that direct to fake websites or by direct personal contact. My team also likes to use USB sticks, which are sent by mail to the target persons. Of course, these are not USB sticks, but special IT equipment designed for such tests. It is enough for a target person to plug in this stick to get full control over the computer.
Useful or not?
However, I am of the opinion that such tests should only be carried out if there are clear rules of conduct in the company for the defense against social engineering and the employees are sensitized, trained and regularly coached accordingly. Without training, the selected target persons have hardly any chance of recognizing and defending against these attacks, thus falling blindly into the trap.
In practice, it has been shown that if tests are nevertheless carried out under these conditions, the climate between those responsible for information security and the employees deteriorates significantly. The latter usually feel “tricked” and react accordingly.
Companies are therefore well advised to check whether the above conditions are met before carrying out social engineering tests. If in doubt, guidelines and security awareness campaigns based on them should be implemented first.
Further information on social engineering: Manfred Scholz, manfred.scholz@sec4you.com
Leave A Comment