Social Engineering Testing

Similar to penetration testing, this service entails using a security specialist to “attack” a customers’ defenses, but this test focuses on employees rather than the systems they are using. For example, the tester may employ emails, web phishing, and perhaps phone-based phishing attacks to validate whether an employee avoids the trap or takes the bait by clicking a link/attachment or revealing sensitive information over the phone to an unknown caller. This test can also be used in conjunction with security awareness training.

What is a Remote Social Engineering Penetration Test?

Remote social engineering penetration testing validates the effectiveness of user security awareness, incident response, and network security controls such as malware defenses, local permissions, and egress protections. Performed under controlled conditions, a remote social engineering test involves issuing carefully crafted emails to lure users to fictitious “malicious” websites, attempts to compromise these users, escalate privileges, and penetrate the internal environment.

A social engineering penetration test will help you:

• Establish the publicly available information that an attacker could obtain about your organisation;
• Evaluate how susceptible your employees are to social engineering attacks;
• Determine the effectiveness of your information security policy and your cybersecurity controls at identifying and preventing social engineering attacks; and
• Develop a targeted awareness training program.

How to prepare for social engineering testing?

Keeping things a secret is key to ensuring that your social engineering testing becomes a success. If several of your employees know about an upcoming social engineering test, the information can quickly spread to all your staff, putting them on high alert and rendering the test useless because the information it will give you won’t be accurate. Surely, a few people will have to know about the testing to make it possible, but it’s important to inform only trusted people who absolutely have to know about the testing.

You also need to prepare a list of the data and assets that are most important to your company, as this will help the social engineering team to identify the main objectives for social engineering testing and come up with the most effective strategy for the ‘attack’. It’s also a good idea to provide a list of contact information for the employees who will be tested. Surely, the testing team can find this information on their own but it will be cheaper and faster for you to provide it yourself.

Lastly, if your company has been a victim of a hacker attack in the past, you should provide information about it to the testing team along with a list of measures you’ve taken to prevent the same from happening in the future. Similarly, if there are some types of attacks that are common in your industry or attacks that you’re especially worried about, inform the testing team about it so the testing can be tailored to your needs.