Penetration testing attempts to exploit vulnerabilities in systems, networks, human resources, or physical assets in order to test the effectiveness of security controls. Social engineering is the psychological manipulation of people to prompt them into performing certain actions or divulging sensitive information. Social engineering penetration testing, then, uses different forms of social engineering attacks to attempt to exploit the vulnerabilities in people, groups, and processes, in order to identify vulnerabilities, with the goal of remediation. Do not be dissuaded from performing these tests simply because they involve the concept of psychological manipulation. These tests are performed under controlled conditions and with informed consent, and they offer valuable insight into the effectiveness of user security awareness, incident response, and network security controls that can benefit everyone in your organization.
Types of social engineering attacks include:
Phishing. Using email to attempt to trick a user into revealing sensitive information or opening a malicious file.
Vishing. Similar to phishing, vishing uses phone calls to attempt to trick a user into revealing sensitive information.
Smishing. Similar to phishing, smishing uses sms text messages to trick a user into revealing sensitive information or opening a malicious file.
Impersonation. Impersonation is a method where the attacker attempts to trick a user into believing they are someone else in order to obtain sensitive information, access to resources, and/or for financial gain.
Dumpster diving. Dumpster diving is a method where an attacker searches a user’s physical space, looking for useful information about a user or organization from items such as sticky notes, calendars, and items found in the garbage.
USB drops. The USB drops method involves leaving USB devices containing malicious software in common areas throughout a workspace. Once the USB is plugged in, it installs malicious software that can provide a backdoor into a system or can transfer files with common file extensions.
Tailgating. Tailgating is a method where an attacker follows closely behind an employee using a key fob to gain entry and enters in right behind them.
Social engineering penetration testing options include off-site tests, which are aimed at testing security awareness through vishing, phishing and smishing social engineering methods and on-site tests which are aimed at testing security and privacy policies and practices, and could include impersonation, dumpster diving, USB drops, and tailgating social engineering methods.
Social engineering assessment methodology may include the following steps:
Information gathering. Gather the necessary information in order to become familiar with the organization, its messaging, its departments, and other publicly available information.
Threat modeling. Use information obtained during the information gathering stage to identify and evaluate the types of threats that the organization is most likely to encounter.
Campaign preparation. Review the rules of engagement, project scope, testing timeline, objectives, and limitations or restrictions prior to testing.
Infrastructure preparation. Systems are prepared. For an email campaign, the transportation, hosting, and collection of responses will be prepared.
Vulnerability analysis. After delivering a campaign, track how many targets fell for the social engineering methods delivered.
Exploitation. The threats identified in the threat modeling stage are exploited, or the social engineering methods may be retooled for more effective exploitation in subsequent campaigns.
Post-exploitation. After an exploitation, the goal is to quantify the risk that exists in the organization and to identify what needs to be done to minimize those risks.