Threat actors use social engineering tactics to manipulate, persuade, or coax employees into parting with sensitive corporate information. An IBM study indicated that 95% of all breaches could be attributed to the gullibility of humans. To put things into perspective, the Verizon 2018 Data Breach Investigations Report claimed social engineering was the second most common attack vector in data breaches.
How can organizations protect their employees and data from social engineering tactics employed by hackers? Social engineering penetration testing is one way for businesses to detect and prevent the threats that exploit humans.
What Are Social Engineering Attacks?
Social engineering is a cyberattack in which the attacker takes advantage of an employee's trust to gain access to a company's data or systems. This type of attack relies more on deception rather than technological prowess to get what they want.
Social engineering attacks rely on psychological tricks to persuade individuals to break the organization's security protocols on purpose or by accident. A successful social engineering tactic would see employees parting with details like names, job titles, and even login credentials.
The hacker's approach varies depending on the target. Some establish contact with the target and cultivate them over time to gain their trust. Others use phones, emails, websites, and other communication platforms to trick people. After gaining confidence, cybercriminals persuade, coax, or even threaten employees to part with sensitive information.
Techniques for social engineering penetration testing
Testers may use the following four social engineering tactics to test an organization's security preparedness:
In pretexting, the hacker creates a bogus situation, persuading the intended target to part with critical information. This strategy involves contacting the target and posing as someone (preferably in the top echelon) in need of help. Hackers establish connections via mail, emails, phone calls, or face-to-face interactions.
This strategy can work well in penetration testing if non-technical users who can provide important information are targeted. It's best to start with small requests and drop the names of genuine people in the organization. Most phishing scams are the offshoot of pretexting.
In phishing, an email is sent to a user to persuade them to take a specific action. In a phishing email, the recipient is persuaded to click a link, which takes them to a malicious website or installs malware as part of a larger penetration testing project.
Successful phishing attacks are characterized by personalization. The more an email gets personalized – for example, if it comes from a trusted (or perceived-to-be-trusted) source – the higher the chance of success. Further, the content of the email must be actionable. It must persuade the reader to act in a manner that goes against the established principles of work at the organization.
Physical tactics/ media dropping
This method involves dropping physical devices at key points where the chances of their being picked up and plugged into the system are high. For instance, drop a USB device at the entrance of the building or on a worker's desk. Ideally, the employee should not handle the device and alert the IT department. If the employee plugs the device into the system, the file inside will launch a client-side attack (simulated, of course).
Tailgating involves entering the physical facility fraudulently. This test demonstrates the pen tester's ability to circumvent physical security.
During penetration tests, testers will attempt to obtain valuable data quickly or install devices as soon as possible to demonstrate their success. The pen tester may photograph documents left on printers or workstations to gain Wi-Fi or 3G network access to the environment later.
Organizations should consider regularly scheduled penetration tests to detect and mitigate risks. While social engineering attacks are difficult to prevent, awareness among employees can go a long way in mitigating the risk.
Packetlabs' industry-leading penetration tests can help gauge your organization's security preparedness. Our experts offer actionable advisories that protect your company's assets. Contact the Packetlabs team today for a free, no-obligation quote.