Social engineering assessments

Professional industrial espionage often involves physical attacks or insiders, even if the target is in cyber space. Nevertheless, this attack vector is frequently underestimated.

This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Question

Could attackers break into a (high) security area? Could they sabotage production or steal company secrets? How do employees behave during such social engineering attacks?

Approach

We define the threat scenario, develop attack routes that focus on employees, and carry out the attacks on site. However, the target to be reached may well be access to IT resources.

Result

You get a detailed documentation of the attacks with identified vulnerabilities and a benchmark to the industry standard. And a lot of security awareness in the management presentation.

Social engineering: attacks via unexpected paths

Many companies focus on protecting themselves against attacks from cyber space by securing their systems, setting up security monitoring and sensitizing their employees to phishing e-mails.

However, attackers can also take unexpected paths, depending on their motivation and capabilities: on site, it is easy for an attacker to obtain internal information, and if things get complicated, they can simply ask.

Manipulating people by using psychological tricks is called social engineering. We scout your location and observe the corporate culture. We cleverly change disguises and identities, gain access by tailgaiting or lock picking, and distribute infected USB sticks. As IT employees, we distribute new keyboards with keyloggers or directly ask for the password - always with a plausible reason, of course. Since our social engineers are also good hackers, we use the information gained on site to abuse your IT, issue our own access authorizations or register additional visitors.

Over the past 20 years, we've stolen prototypes via social engineering, penetrated sealed-off research areas, planted bugs in the CEO's office, or smuggled dummy bombs into high-security data centers. All on behalf of customers, always on the good side of the force.

Benefits of social engineering assessments

Top management awareness

The results of a social engineering assessment are very well suited to sensitize top management to the topic of security, because the risks are very tangible and generate a high level of personal concern. If your CEO sees his or her own target agreement in the management presentation, security becomes a top priority. That's a promise!

Measuring your physical security

You get a very realistic impression of whether your physical security measures are effective and how your employees react to manipulation attempts. We use a combination of hacking and social engineering to uncover flaws in access processes that were thought to be secure and provide many recommendations for optimization.

Convergence of disciplines

Social engineering assessments very often create a change of perspective, away from IT security in one corner and physical security in the other, toward an interlocked, holistic approach to information security, today also called cyber security. This often results in a constructive networking of these two important security disciplines.

Success factors

Crucial to a successful assessment is good preparation. One small mistake and the situation can get out of control or we fly off the handle and have to quit. Then we would have invested a lot of time and effort for little gain in knowledge.

That is why we prepare the assessment thoroughly together with you:

We define goals that are simultaneously challenging, but also realistic and that generate concern. This increases the acceptance of the measures derived.
The circle of those informed must be well considered; the situation must not escalate, nor must there be too many insiders.
Clearly defined rules and boundaries are also important. You remain in control throughout the assessment and are informed of our steps at all times. You can define 'no gos' and stop individual actions.
We respect ethical principles: Attacks on interpersonal levels are an absolute no-no for us, as is personal exposure of individual participants.

The phases of social engineering

Preparation

Meeting to agree on the scope
Kick-off meeting

Execution

Workshop to define objectives and rules of the game
Information research (HUMINT, OSINT, on-site inspection)
Attack planning and preparation
Execution of the attack with physical attacks and social engineering and hacking (if necessary)
Regular status meetings

Evaluation

Clear documentation of the attack path
Replay workshop with the project team
Management presentation

Social engineering

Spear-Phishing
Voice Phishing Calls (Vishing)
Fake identity cards
Disguises
Infiltration of employees (via job applications)
Tailgating
...

Physical tools

Lock Picking
Keylogger
Bugs
Dropbox with mobile internet (remote access/exfiltration)
Screen Grabber
prepared USB Sticks
...

Do you want to know how well you are equipped against a "visit" by us?

Let's get to know each other in a web meeting and talk about your objectives.

Yes, I'm interested