Social Engineering (Cyber & Physical)
A social engineering test is designed to emulate the mission of a malicious user by identifying areas of weakness in your organization’s security controls and employee security awareness. Social engineering attacks target the unaware human element within your organization. In other words, instead of hacking into your hardware, software, or network, a malicious hacker will instead target the vulnerabilities of human nature. Social engineering attacks are frequently successful because employee actions are not encrypted or coded. And unfortunately, untrained employees are likely to make decisions that could expose secure business information.
Benefits of a Social Engineering Test
A social engineering test can be used as a one-time method of assessing the effectiveness of a security awareness campaign, or to support new and current training programs. Using the latest intelligence on social engineering techniques, a social engineering test can evaluate employees against general phishing and “spear-phishing” attacks that are intended to exploit trust and lack of security awareness.
A social engineering test can help you (1) identify specific vulnerabilities related to employee security awareness, (2) establish or refine organizational cybersecurity standards, and (3) use as a basis for a cybersecurity awareness training program.
The MainNerve Social Engineering Process
- Overt and covert observation of operations at various locations and times
- Inspection of physical security measures
- Conduct threat replications to test existing security protocols and to determine if the current level of security was capable of repelling threats
- Interviews with key staff members in charge of policy, administration, day-to-day operations, system administration, network management, and facilities management
- A visual walkthrough of the facilities with administrative and facilities personnel to assess physical security
- External and Insider threats
Customer-Provided List (Gray Hat): The customer provides a list of email address of its employees, that will be included in the social engineering test. This type of social engineering test represents the simpler and quicker method as research is not required in order to build a list.
Manual Research (Black Hat): The customer does not provide a list of employees to MainNerve, but relies on MainNerve to gather a list of employees through manual research. Research includes employing tools and techniques for harvesting names and email address from open source directories, social media sites, and customer web sites.
At MainNerve, the Reporting/Delivery phase of our Social Engineering process is one we are incredibly proud of. We strive to effectively communicate the value of our service and findings—and provide you with the information you need to fix any identified vulnerabilities. A Social Engineering Final Report with MainNerve Includes:
- Primary Findings
- Defines the scope of the engagement
- Threat Assessment Results
- External and Internal
- Mitigation recommendations
- Summary of Vulnerabilities and hazard
- Crosswalk to Security
- Correction actions taken