A recent social engineering test resulted in security failures within some of the world's biggest companies. I'd...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
like to run some informal social engineering tests internally. What are some of the most common or cutting-edge techniques worth trying?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Recently, there have been a number of high-profile information security failures that can be traced to social engineering; even the RSA attack that led to the SecurID breach could be seen as a social engineering failure because an employee was reported to have enabled the attack by opening a malicious attachment from a phishing email. Running some informal social engineering tests internally will help make enterprises more aware of social engineering. Social engineering awareness should be included in any general security awareness program. These tests should be a part of the incident response plan, practiced like any other incident response procedures.
Often times, social engineering is used in general penetration tests. Some of the most common exercises in social engineering testing include antiphishing testing, during which employees are sent mock phishing emails to gauge how they respond. Security professionals may want to focus their anti-social engineering training where the most social engineering attacks are discovered: information found on an incident response record. If your organization has conducted incident responses in recent years, that's a good place to start, though there are plenty of high-profile breaches involving social engineering that can be good lessons as well.
In terms of training resources, a group of information security pros has put together a free social engineering toolkit that serves as an excellent starting point for enterprises that aren't familiar with the tricks employed by malicious social engineers, and Defcon has a social engineering contest where some of the most innovative social engineering takes place each year. Some of the most common social engineering breaches have been caused by run-of-the-mill phishing attacks, but organizations may want to include some of the cutting-edge methods from the Defcon 19 Social Engineering Contest results as well for good measure.
Dig Deeper on Security Awareness Training and Internal Threats-Information
Related Q&A from Nick Lewis
SSL attacks "in stealth mode" are helping attackers avoid detection and analysis. Expert Nick Lewis explains how to discover and defend against the ...continue reading
Learn how sinkholing is helping security experts analyze infected devices and even disable malware in compromised endpoints.continue reading
Motion and gestures are being used for mobile malware detection on smartphones. Learn how this method works and whether it is a worthy addition to an...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.