A recent social engineering test resulted in security failures within some of the world's biggest companies. I'd...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
like to run some informal social engineering tests internally. What are some of the most common or cutting-edge techniques worth trying?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Recently, there have been a number of high-profile information security failures that can be traced to social engineering; even the RSA attack that led to the SecurID breach could be seen as a social engineering failure because an employee was reported to have enabled the attack by opening a malicious attachment from a phishing email. Running some informal social engineering tests internally will help make enterprises more aware of social engineering. Social engineering awareness should be included in any general security awareness program. These tests should be a part of the incident response plan, practiced like any other incident response procedures.
Often times, social engineering is used in general penetration tests. Some of the most common exercises in social engineering testing include antiphishing testing, during which employees are sent mock phishing emails to gauge how they respond. Security professionals may want to focus their anti-social engineering training where the most social engineering attacks are discovered: information found on an incident response record. If your organization has conducted incident responses in recent years, that's a good place to start, though there are plenty of high-profile breaches involving social engineering that can be good lessons as well.
In terms of training resources, a group of information security pros has put together a free social engineering toolkit that serves as an excellent starting point for enterprises that aren't familiar with the tricks employed by malicious social engineers, and Defcon has a social engineering contest where some of the most innovative social engineering takes place each year. Some of the most common social engineering breaches have been caused by run-of-the-mill phishing attacks, but organizations may want to include some of the cutting-edge methods from the Defcon 19 Social Engineering Contest results as well for good measure.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.