A recent social engineering test resulted in security failures within some of the world's biggest companies. I'd...
like to run some informal social engineering tests internally. What are some of the most common or cutting-edge techniques worth trying?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Recently, there have been a number of high-profile information security failures that can be traced to social engineering; even the RSA attack that led to the SecurID breach could be seen as a social engineering failure because an employee was reported to have enabled the attack by opening a malicious attachment from a phishing email. Running some informal social engineering tests internally will help make enterprises more aware of social engineering. Social engineering awareness should be included in any general security awareness program. These tests should be a part of the incident response plan, practiced like any other incident response procedures.
Often times, social engineering is used in general penetration tests. Some of the most common exercises in social engineering testing include antiphishing testing, during which employees are sent mock phishing emails to gauge how they respond. Security professionals may want to focus their anti-social engineering training where the most social engineering attacks are discovered: information found on an incident response record. If your organization has conducted incident responses in recent years, that's a good place to start, though there are plenty of high-profile breaches involving social engineering that can be good lessons as well.
In terms of training resources, a group of information security pros has put together a free social engineering toolkit that serves as an excellent starting point for enterprises that aren't familiar with the tricks employed by malicious social engineers, and Defcon has a social engineering contest where some of the most innovative social engineering takes place each year. Some of the most common social engineering breaches have been caused by run-of-the-mill phishing attacks, but organizations may want to include some of the cutting-edge methods from the Defcon 19 Social Engineering Contest results as well for good measure.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.