© 2018 RSM US LLP. All rights reserved.
Social Engineering Testing
One of the most common attack strategies, social engineering exploits weaknesses in human nature, rather than hardware, software or network vulnerabilities.
Social engineering attacks continue to be one of the most common and successful attack strategies for criminals seeking to attack an organization. These attackers manipulate employees to reveal passwords or download malware-infected files that result in stolen credentials networks, data breaches and fraudulent wire transfers.
The best way to determine your organization’s susceptibility to social engineering is to test employees in a way that imitates real attacks without inﬂicting real damage. Social engineering testing gives you an idea of how malicious actors may target personnel in a real-life attack. Attackers often count on a lack of security awareness to grant them a foothold into an environment—a simulated attack can reveal the current state of employees’ awareness and response to social engineering.
The goal of this type of testing is to determine the following: If your employees receive suspicious emails, how would they respond? Would they report it to the security team? Would they click on links from unknown users? Are they aware of phishing response procedures? Would they submit credentials to someone over the phone or to an unknown website? Would they allow strangers into sensitive areas of the facility?
RSM initiates any of these scenarios to test how your organization responds. These scenarios can include:
- Targeted spear phishing attacks
- Phone-based social engineering
- USB drops
The pretexts for scenarios are crafted based on extensive research of open source intelligence—information that any external malicious actor could obtain. In this way, it closely mirrors the way an attacker would target your environment. This allows you to track user responses, and then adapt security awareness training and security procedures to coincide with current attack strategies.