Social Engineering - Employee Vulnerability Assessment

Showing We’re Only Human

It’s unsettling to think that your entire network could be compromised if one of your employees unknowingly clicks the wrong link or lets the wrong person through your door. Our Social Engineering Vulnerability Assessments are designed to lower this risk by identifying weaknesses that could allow attackers to target unsuspecting or uninformed employees. We conduct these tests using the tactics of social engineering, such as deception, manipulation, and intimidation, to see whether we can get the people in your organization to accidentally compromise your information.

Through the Assessment, we will:

  • Demonstrate how well employees are complying with organizational procedures and processes.
  • Validate your current training methodology.
  • Test incident detection, reporting, and response mechanisms at your organization.
  • Provide valuable data that can be incorporated into ongoing security awareness programs.

The Sage Methodology

We perform our Social Engineering Assessments through face-to-face, voice, email, and web communication. Prior to testing, we may do a footprint analysis to see what kind of company-specific information is publicly available. Such information can help to personalize the Assessment. Sage offers several different types of Social Engineering Vulnerability Assessments, including:

Phone Pretexting

With phone pretexting, a Sage Social Engineer using a variety of false identities will phone employees to try to gain information and/or execute operating system commands. This Assessment tests identification procedures and confidentiality awareness in your organization.

If trying to gain Customer Information, the Sage Social Engineer will attempt to do one or more of the following:

  • Gain access to an account.
  • Gain information about an account, accountholder, account balance, or account activity.
  • Change the address information or email address of an account holder.

The Sage Social Engineer will use account information provided by the client in order to verify if identification procedures are being followed correctly. Caller ID will be modified to spoof the caller’s identity and all calls will be recorded for reporting purposes.

If attempting to gain Network Information, the Sage Social Engineer will request an employee’s help in troubleshooting a fictitious IT problem. If the Social Engineer is able to enlist the employee’s help, the employee may be asked to execute operating system commands that provide network and infrastructure information, visit a website, or open an email with an attachment. Caller ID will be modified to spoof the caller’s identity and all calls will be recorded for reporting purposes.

Email Phishing

This Social Engineering Assessment will test employees’ knowledge of anti-phishing best practices. We will stage an email phishing attack using up to three themes that imitate the styles of common real-world phishing emails. We will send an email to targeted employees attempting to entice them into browsing to an unknown website and/or open an attachment. The emails, written in HTML, will be designed to identify both user and technical configuration vulnerabilities. We will track any and all user activity back to the specific email address that received the phishing email.

Physical /Onsite

This onsite Social Engineering Assessment tests your organization’s visitor identification and access policy. A Sage Social Engineer, posing as a trusted third-party, will go onsite and try to gain access to restricted areas, such as data center, teller line, wiring closet, records retention area, or offices.

USB Drive Baiting

Our USB Drive Baiting Assessment will test whether employees will plug an unknown USB drive into their workstations and open files stored on the device. For this Assessment, Sage will use up to 20 read-only USB drives loaded with generic files that create log entries on a remote Sage server when opened. Sage remotely tracks how many files are opened in order to provide quantifiable metrics that underscore the potential risk exposure involved.

The USBs can be distributed through any of the following means:

  • Delivered by mail for you to leave randomly around the office;
  • Mailed directly to specific employees; or
  • Left behind in high-volume areas of the building when we do an onsite Assessment.

The files contained on the USB can be customized to contain a message that provides immediate training to employees alerting them of the potential security issues associated with unknown USB devices.

Reports and Recommendations

The Social Engineering Assessment report includes:

  • An executive report of our findings in PDF.
  • A corresponding interactive HTML report detailing each of the Assessment categories, including scenario descriptions, applicable findings, and incident detection and response metrics.
  • An action plan in Microsoft Word detailing our recommended remediation activities.

No one is immune to cyber-attacks