Fortify has provided Social Engineering testing to many organizations throughout the world. During the Social Engineering testing, our team of experts attempt to manipulate an organization’s employees into allowing unauthorized access to confidential information. This allows the organization to test their Information Security Policy and their employees’ adherence to that policy. By hiring Foritfy to perform this test, the organization can identify failure points and train its staff to prevent an actual breach. Fortify has designed techniques that can be performed both onsite and remotely.
During an onsite engagement, Fortify will use various techniques to gain physical access to obtain records, files, and/or equipment that may contain confidential information.
The onsite engagement techniques typically include:
- Dumpster diving
- “Trusted Authority” disguises, such as fire inspectors, air conditioning repairman, pest control man, etc.
- Employee Impersonation (IT Help Desk, New Hire and Auditor)
The onsite engagement tests for the following vulnerabilities:
- Proper Disposal of Sensitive Data
- Privacy Policy Awareness and Implementation
- Institution Policy Adherence
- Violation Reporting
- Access Privileges
- Sensitive Area Security
- Device/System Compromise
- Technical Preventive and Detective Controls
The remote Social Engineering engagement involves the manipulation of the organizations by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI (Non-Public Personal Information) or other confidential information.
The remote engagement techniques typically include:
- Pretext Calling (e.g Employees and Help Desk Teams)
- Phishing
The remote engagement can include tests for the following:
- Privacy Policy Awareness and Implementation
- Institution Policy Adherence
- Violation Reporting
- Access Privileges
- Privacy Filtering
- Technical Preventive and Detective Controls
Why should I perform social engineering testing?
Social Engineering allows organizations to test the response to an active attack and allows an it to measure the effectiveness of the Information Security Awareness of it’s employees.