A recent social engineering test resulted in security failures within some of the world's biggest companies. I'd...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
like to run some informal social engineering tests internally. What are some of the most common or cutting-edge techniques worth trying?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Recently, there have been a number of high-profile information security failures that can be traced to social engineering; even the RSA attack that led to the SecurID breach could be seen as a social engineering failure because an employee was reported to have enabled the attack by opening a malicious attachment from a phishing email. Running some informal social engineering tests internally will help make enterprises more aware of social engineering. Social engineering awareness should be included in any general security awareness program. These tests should be a part of the incident response plan, practiced like any other incident response procedures.
Often times, social engineering is used in general penetration tests. Some of the most common exercises in social engineering testing include antiphishing testing, during which employees are sent mock phishing emails to gauge how they respond. Security professionals may want to focus their anti-social engineering training where the most social engineering attacks are discovered: information found on an incident response record. If your organization has conducted incident responses in recent years, that's a good place to start, though there are plenty of high-profile breaches involving social engineering that can be good lessons as well.
In terms of training resources, a group of information security pros has put together a free social engineering toolkit that serves as an excellent starting point for enterprises that aren't familiar with the tricks employed by malicious social engineers, and Defcon has a social engineering contest where some of the most innovative social engineering takes place each year. Some of the most common social engineering breaches have been caused by run-of-the-mill phishing attacks, but organizations may want to include some of the cutting-edge methods from the Defcon 19 Social Engineering Contest results as well for good measure.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.