Social Engineering

View Datasheet  

 

The term "social engineering" has been used for years by hackers to describe the technique of using persuasion and/or deception to gain access to information systems. Such persuasion and deception is typically implemented through human conversation or other interaction. The medium of choice is usually the telephone, but it can also be communicated via an email message, a television commercial, or countless other mediums for provoking human reaction. (Consider a floppy drive or CD labeled “Payroll” and left in a hallway or restroom within an organization. On the media is malicious code. Would anyone in the organization insert this media into their computer and access the contents?) Foundstone will perform the type of social engineering most appropriate for your organization.

Our methodology mirrors our approach to security assessments. We begin with target identification and information gathering, followed by exploitation attempts. We systematically apply these principles in a customized approach which depends on the objectives of the particular situation. We work closely with our client to define the test scenarios. The test scenarios are tailored to test-specific policies and processes within their organization. Some organizations may have incident response procedures in place to report suspicious phone calls. Foundstone can test these procedures by making obvious attempts at gaining confidential information without proper authorization. This is an excellent way to test the effectiveness of a security awareness training program, or lay the foundation for creating an awareness program.

Three common attack vectors we have identified include:

• Phone calls to individuals within the organization. This will normally include the helpdesk and specific individuals that are identified as critical company personnel.
• Carefully crafted phishing emails targeting specific groups or individuals that would attempt to coax information from the recipient.
• A floppy drive or CD with an enticing label such as "Payroll" or "Quarter-end Preliminary Results" that is left in a hallway or restroom in specifically targeted locations. On the media will be malicious code.

Regardless of what type of social engineering testing is finally agreed upon, when we complete the testing, we will provide a detailed report about the policies that were tested, and the results of each attempt.

Contact us to learn how our security services can help you protect your most important assets today.

RFP Template

Foundstone has developed this Request for Proposal("RFP") template to help organizations identify and select a quality security vendor to perform professional services work.

> Download

home | services | company | education | resources | contact | privacy policy | site map | McAfee.com