Don't click on that link.
The allocation of technical solutions to human problems can be quite impressive for some organizations. Whether you've added outbound firewall rules to prevent transmission of worms through your networks, or decided to filter content employees can view with their desktop, a lot of time and money can be spent on the human element of security. For an organization that is concerned about malware, spear-phishing, and cookie-stealing, a social engineering campaign targeted to your employees may be the right way to learn how they're doing and also provide for a teachable moment.
Not Just Amateurs
Social engineering is about more than just somebody calling-up your CEO and asking for their password. In reality, many social engineering campaigns targeted at your organization will be well-coordinated, well-researched individuals making careful attempts at compromising employees to gain a foothold in your environment.
More Than Spam
A well executed social engineering attack can involve convincing duplications of professional e-mails and web sites. While many people are used to spotting the SPAM, very few people could do so against a proper attack towards them. It's easy to become confident in your spam detection skills -- until an attacker goes above and beyond.
You're Important, Too
Thinking that only top-tier employees will be the target of spear-phishing is unfortunately a false hope. Attacks are often against administrative assistants, interns, or other people who may have less tech-savvy or be less protected. A single compromised account or computer can be all an attacker needs to start their work.
Bringing reality back to the threat.
The approach to social engineering that many organizations take is that, if it works, they still can't fix anything because humans will always get tricked. The importance of a social engineering exercise is to educate your employees to support the reality of an attacker's ability to trick them and what's at stake if they do. Without a demonstration of capabilities of an attacker, many employees will play the, "well it doesn't happen to our little team" card.
It is critical to make your staff realize that everyone is a potential target for phishing or other calculated attacks against an organization's people. Whether the custodian has an e-mail account, or an intern was granted temporary access behind the firewall, a target for social engineering can quickly put any proper security posture off-balance. Through a responsible and careful exercise, the true dangers of social engineering can be brought to the front of everyone's mind.
Few organizations would dare stop updating their anti-virus solution or leave a firewall sitting around with default settings, but it's all too common to see employees that don't receive valuable training related to human security beyond locks and cameras. Security should be a well-rounded, top-to-bottom approach that ultimately ends with the people who can facilitate an attacker or defeat them having the awareness and knowledge to do better.
Identify the people who readily clicked on a fake e-mail from their social network or downloaded that attachment they thought was an internal memo. While they may at first be caught off guard, their ability to learn and do better in the real scenario will be enhanced.
Assumptions lead to breaches
By engaging your organization in a social engineering exercise, the staff will clearly be able to see what percentage of dangerous content was downloaded or clicked-on. Too many employees assume they won't be a target — let them know that they are.
Unexpected and common
Every company has turnover with their employees. Don't expect one training session every five years to be sufficient. Integrate hiring cycles with social engineering training so that employees will known early on the focus your team places on information security.
Bring out confidence
Employees aren't aware typically of just how social engineering works or what to really watch for. By engaging your staff in a real-world scenario, many team members will be more assured of being able to spot issues with that next e-mail or attachment.
Our approach to Social Engineering.
Through a series of exercises focused on the staff of your organization, NetWorks Group can help to highlight issues with employee training when it comes to information security. Depending on your industry, our team can create a scenario realistic to the threats your company may face. Beyond trying to just get an employee to click a link, our team will try to go much further through a real-world scenario and attempt to compromise resources in your network. By having evidence of the issues social-engineering can lead to, there will be a much greater focus on being cautious and investigative on situations they find themselves in.
Metrics to Use
Depending on the size of your organization, we're capable of doing percentage-based social-engineering exercises. For instance, our staff will send a certain forged e-mail to 30% of your people across teams and be able to give a sense of what proportion of employees are acting in a way that could cause security issues.
A Variety of Attacks
We're ready to meet the challenge of a social-engineering attack that will resonate with your team. Whether you're focused on seeing how much information can be retrieved from a phone call, or curious about the rate of opening an unknown attachment, your guidance will lead us down a road to match reality.
It's easy to simply send a link and see if it gets clicked, but it's a much more compelling situation if clicking that link allows us to take a screenshot of your employee's desktop. In social-engineering, making an impact on the target audience counts, so we'll try our best to show your staff the real dangers facing the organization.
With a team specializing in many areas of information technology and security, we're able to get the best people for the job working with your organization. Rather than taking a one-size-fits-all approach, we're interested in providing the right talent to get the best results. We're ready to adapt for your scenarios.
Executive or Intern
We customize the attacks and direction of our social-engineering scenarios to handle a variety of targets. While threats can be different depending on organization size and hierarchy, taking an approach that fits the reality of an organization matters. Allowing for customization provides us with a better chance of success.
We treat our social-engineering engagements like we do all of our Ethical Hacking Services when it comes to reporting. By having a professional deliverable with the statistics, screenshots, and scoping information to make a real impact, your organization can have usable insights into the susceptibility of compromise facing your teams.