| |
Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. Since users are typically the weakest link in security, a social engineer attempts to trick a legitimate user in divulging secrets that are then used to compromise an organization’s assets. Use of internet, phone and physical contact are some of the means used by a social engineer. Examples of common techniques used include benign emails with malicious payloads, impersonation of key company personnel via phone to more sophisticated attacks such as phishing wherein users are sent to dummy web sites and confidential information is extracted.
M3 Security’s social engineering assessment service reviews the security awareness of an organizations employee and tests their susceptibility to traditional social engineering attacks.
| M3 Security's Social Engineering typically includes the following tasks: |
Review of existing security awareness and training programs |
| Review of existing security policies and procedures: Issues such as username/password release policy, identification procedures of person requesting sensitive information, information classification procedures etc are reviewed |
| Social Engineering testing: Setting up typical social engineering attacks such as phishing, email malware exploits etc. and launching them against a pre-approved list of employees to test security awareness |
| Recommendations: Enhancements to existing training and employee security awareness programs, modifications to authentication mechanisms, use of newer and more sophisticated anti social engineering measures are listed |
|
|
