Social Engineering
It's only human to take someone at his word and trust him. This makes us vulnerable to attacks and turns us into the weakest link in the chain. Many experienced security experts emphasize this point and warn about the resulting dangers. No matter how many patches have been installed and how many firewalls are active - decisive for the security of company data is the behavior of Ms. Miller from accounting and Mr. Schmidt at the helpdesk.
The basic aims of social engineering are the same as of conventional hacking: to gain unauthorized access to systems or data in order to commit fraud or industrial espionage, to intrude into foreign networks or to interfere with their operation. If a couple of years ago only huge businesses were the typical aim of social engineering attacks, they are part of almost each planned hacker attack today. Social engineering is so easy compared to the complicated forms of technical hacking. Even for a technically experienced freak it is more simple to pick up the phone and ask for a password.
acribis offers a wide range of services in the area of social engineering, which allow for an examination of the current situation in your company:
Physical attacks
In this case, our specialist will try to get access to one or more company and/or administrative building(s) of the customer. There he will try to collect information from those departments that show vulnerabilities (for example, confidential documents on top of the desk or in the garbage can) and he will try to establish a basis for further attacks and for the next steps (e.g. telephone directory).
If the access is electronically secured (like batch systems), our invader will try to get the appropriate key or to get inside in a different way (for example, together with other employees).
Psychological attacks
Our specialist will check the tenacity of the employees at the phone. Normally he will use an internal telephone and the data he found (telephone directory). He will try to find out about user names and passwords of the employees.
Besides a fake identity, our invader will use a certain technique where he accuses the target subject of having made a mistake and being responsible for it. At the same time he will offer help and thus take advantage of the pressure on the employee to receive information.
In addition to that, our specialist can employ the so-called "reverse social engineering" method, if desired. In that case, he will purposefully ratten, for example, the work station of one employee. Shortly after, he will offer his assistance and pretend to know how to solve the problem. In this phase he will take advantage of the victim-helper relationship and try to gain information.
Online Social Engineering (Phishing)
Another kind of social engineering is to simulate a situation by means of special technical aid so that the employee reveals confidential information without further influence.
The most well-known kinds of online social engineering are the so-called phishing attacks. In this case, a familiar environment is simulated by means of an e-mail and/or a website. For example, the user can be prompted to change his password by a purpose-made e-mail message. Here too, the effect can be boosted by accusing the user of having made a mistake and saying that the problem has to be solved immediately.
For our specialist, this kind of social engineering is a "nice extra" to the other methods and gives him a good picture of the current situation with respect to the security awareness within the company. It allows for a simultaneous control of several departments so that the data can be compared statistically.