Social engineering is a fairly new concept that has come into play the past couple of years in the financial industry. It is quickly becoming a requirement to do, at minimum, annual checks on your employees to ensure they are not providing private customer information to unknown people. But, what type of testing needs to be done?
Wait, hold up, just what is Social Engineering?
Social engineering is defined as an attack based on deceiving users or administrators at the target site. Attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.
Some like to call it ‘human hacking’.
We actually sent our scope to the regulators and got their blessing to make sure that our scope is comprehensive enough for our clients. Be sure when selecting a vendor that they are, at least, covering these areas:
Online Reconnaissance
This is the method of attempting to gain information about an institution and its employees strictly
from the Internet. There are numerous ways to attempt to gain knowledge of an institution via the Internet that do not include the company website.
Dumpster Diving
Although consider a ‘dirty’ job, dumpster diving can provide a rich bed of information for the hacker. Hackers attempt to obtain any amount of information about the institution or its personnel to give the hacker an advantage.
US Mail Testing
Examples of this include sending fake ‘contest-winner’ mail to employees in hope of having them fill the forms out and
providing information about the user.
Phone Testing
The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack.
Email Testing
Email, in today’s world, has become a common practice in almost everyone’s daily lives. This provides
as a great avenue to attempt a social engineering attack.
In Person
In some cases, the only way for someone to gain the information they are looking for is by attempting
to socially engineer in person. This method is the most difficult and dangerous task but often can reap the most awards for hackers. People are more likely to trust someone in person than over the phone; so hackers use this as means to obtain key information.
The Garland Group would obviously love to quote you for this service but if you decide to go elsewhere, we understand, just make sure you are getting what you pay for.
