Security programs rely on a blend of technology, process, and people to help defend the organization against the many different types of threats. Most security tests focus on technical weaknesses such as host device configurations, operating systems, and applications; with an occasional review of process-based vulnerabilities. However, social engineering exercises are designed to test what many consider the most glaring weakness of the organization: People.
Social engineering testing takes advantage of the human element and preys upon the good nature of individuals to be trusting and helpful. Through a series of different types of tests, social engineering can measure awareness of policies, procedures, processes and overall best practices in the organization. These tests are often predicated upon deceit in order to trick the employee into divulging sensitive information about their logins, password or granting direct access to systems by having them click on malicious a link or executing malicious files.
Because many industries are targeted by threats that leverage both technical weaknesses and social engineering, organizations need multiple countermeasures such as awareness, education and proactive testing in order to reduce the potential impact. VioPoint offers three different types of social engineering testing that will help organizations identify gaps and develop the appropriate mitigation approach:
- Phone calls to trick employees into granting access to their systems or revealing sensitive information.
- Planting of removable media devices such as USB drives which contain a custom agent that will compromise the machine once the user finds the drive and plugs it into their machine.
- Phishing emails to test both user awareness and technical defenses against spear phishing attacks.
Social engineering will help you prepare for targeted attacks by evaluating the behavior and response of individuals across the organization. By conducting these tests, VioPoint will provide several levels of feedback to strengthen the overall security program:
- Identify how well employees are adhering to the established policies for use and disclosure of networked assets.
- Evaluate the effectiveness of alerting technologies based on the response to identified exploits.
- Create recommendations to improve employee awareness through consistent training and awareness campaigns.
- Develop a timeline for follow-up testing to measure improvements in awareness and reduction in risk.
Related Security Offerings
These related service offerings may also be of interest to you: