Social Engineering

The human element is usually the weakest link in any security system. Even the tightest security systems can be defeated by a single person acting in an unauthorized manner. An attacker will frequently take advantage of an end user’s lack of knowledge (security awareness) of proper security procedures — along with the innate desire of most people to be helpful — in order to gain illicit access to protected resources. This type of manipulation is referred to as a “social engineering” attack.

The purpose of this phase of a security risk assessment is to determine how successful a social engineering attack would be, and the level of risk incurred by a social engineering attack.

Based on information gathered during other phases of the assessment and discussions with your firm, Foresite will craft and attempt one of the following social engineering attacks, customized to fit your company and the environment:

• Impersonation Attack. The zero-knowledge attacker may use publicly available information to impersonate a trusted individual such as a new hire, repairman, vendor, IT support, manager, trusted third party, or fellow employee to obtain physical access to a designated facility.

• Spear Phishing. The attacker will craft an email designed to entice unsuspecting personnel to perform an action, usually clicking a website link or opening an attachment, that will cause a loss of some kind (usually credential exposure or remote control of the user’s system).

• Media Drop. The attacker will prepare and distribute some type of disposable media (usually USB flash drive or CD) in calculated locations and in a strategic manner to entice personnel to view the contents of the media, triggering a notification or compromise of some kind.

Multiple techniques may be used in the execution of any of these attacks, including, but not limited to, dumpster diving, physical and/or electronic eavesdropping, and physical and technical reconnaissance.

Because this activity is illegal without the explicit permission of our customers, a corporate IT contact will be made aware of the approximate schedule of the attack(s), and the attacker will carry on his/her person a signed copy of sections 6 and 7 of the Terms and Conditions and Authorization agreement, acknowledging the legitimacy of his/her actions.