It’s unsettling to think that your entire network could be compromised if one of your employees unknowingly clicks the wrong link or lets the wrong person through your door. Our Social Engineering Vulnerability Assessments are designed to lower this risk by identifying weaknesses that could allow attackers to target unsuspecting or uninformed employees. We conduct these tests using the tactics of social engineering, such as deception, manipulation, and intimidation, to see whether we can get the people in your organization to accidentally compromise your information.
Through the Assessment, we will:
We perform our Social Engineering Assessments through face-to-face, voice, email, and web communication. Prior to testing, we may do a footprint analysis to see what kind of company-specific information is publicly available. Such information can help to personalize the Assessment. Sage offers several different types of Social Engineering Vulnerability Assessments, including:
With phone pretexting, a Sage Social Engineer using a variety of false identities will phone employees to try to gain information and/or execute operating system commands. This Assessment tests identification procedures and confidentiality awareness in your organization.
If trying to gain Customer Information, the Sage Social Engineer will attempt to do one or more of the following:
The Sage Social Engineer will use account information provided by the client in order to verify if identification procedures are being followed correctly. Caller ID will be modified to spoof the caller’s identity and all calls will be recorded for reporting purposes.
If attempting to gain Network Information, the Sage Social Engineer will request an employee’s help in troubleshooting a fictitious IT problem. If the Social Engineer is able to enlist the employee’s help, the employee may be asked to execute operating system commands that provide network and infrastructure information, visit a website, or open an email with an attachment. Caller ID will be modified to spoof the caller’s identity and all calls will be recorded for reporting purposes.
This Social Engineering Assessment will test employees’ knowledge of anti-phishing best practices. We will stage an email phishing attack using up to three themes that imitate the styles of common real-world phishing emails. We will send an email to targeted employees attempting to entice them into browsing to an unknown website and/or open an attachment. The emails, written in HTML, will be designed to identify both user and technical configuration vulnerabilities. We will track any and all user activity back to the specific email address that received the phishing email.
This onsite Social Engineering Assessment tests your organization’s visitor identification and access policy. A Sage Social Engineer, posing as a trusted third-party, will go onsite and try to gain access to restricted areas, such as data center, teller line, wiring closet, records retention area, or offices.
Our USB Drive Baiting Assessment will test whether employees will plug an unknown USB drive into their workstations and open files stored on the device. For this Assessment, Sage will use up to 20 read-only USB drives loaded with generic files that create log entries on a remote Sage server when opened. Sage remotely tracks how many files are opened in order to provide quantifiable metrics that underscore the potential risk exposure involved.
The USBs can be distributed through any of the following means:
The files contained on the USB can be customized to contain a message that provides immediate training to employees alerting them of the potential security issues associated with unknown USB devices.
The Social Engineering Assessment report includes:
There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”
A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.