Test your users’ gullibility to social engineering
Stephanie Carruthers, People Hacker for IBM- X-Force Red wrote an excellent post on why you should social engineer your own organization. I’ll quote the first paragraph or so, and you should read the rest of the article, it makes an excellent point for the need to “social engineer your employees” and assess the strength of your human firewall!
“It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.
“So what?” he said, clearly unimpressed.
As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social engineering exercises for companies around the world. There seem to be a lot of misconceptions about my job and the usefulness of social engineering assessments in security audits.
CISO did not care
Confronted with that CISO’s indifference, I tried to explain exactly how serious our findings were and what the consequences might mean for the business.
During this assessment, my team started off by getting several payloads through the company’s email filters undetected. We identified that only two of the 300 employees reported the phishing email.
The incident response (IR) team didn’t start its investigation until two days later; during those two days, we managed to infiltrate some of the legal team’s email accounts, where we discovered that the company was the target of a lawsuit that wasn’t yet public. If that lawsuit were to leak, it could significantly hurt the company’s reputation.
Additionally, by reusing some of the passwords we had compromised, we were able to log in to multiple employee payroll accounts, where we had access to direct deposit information — again, undetected. A criminal attacker could have changed direct deposit account numbers to siphon funds from employee paychecks.
My answer seemed to surprise the CISO and his team. In the end, they acknowledged that I provided a lot more information about their security posture than they expected to receive from the assessment.”
Here is a link to the rest of the post.
What can you do about it?
A motivated attacker with sufficient resources can practically always make it into a network. Paying for a pentest which includes social engineering is a great way to identify holes in your human firewall. Here are two excellent “shortlist” suggestions to ask for a quote:
IBM’s X-force Red:
https://www.ibm.com/security/services/offensive-security-services?
Mitnick Security (have a 100% success rate if social engineering is allowed as part of the test)
https://www.mitnicksecurity.com/
And how to dramatically strengthen your human firewall? New-school security awareness training of course!
—
Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/social-engineering-testing-why-getting-hacked-is-a-security-advantage. Cyber Safety Net – Keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/ to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.