Social Engineering is technique for tricking legitimate computer users into
providing information hackers can use to gain unauthorized access to computers system.
The hacker usually poses as a legitimate employee to trick computer users into giving out useful information
that can be used to break into the system. Social Engineering is usually performed by telephone, but forged e-mail messages
or on-premises visits are not uncommon.
Most people are under the impression that computer break-ins are purely technical, the result of
flaws in computer systems that the intruders can exploit. The truth is,
however, that social engineering often plays a substantial role in helping hackers slip
through initial security barriers. Gullible computer users lacking security awareness often provide an easy stepping stone
into the protected system when the attacker has no authorized access to the system.
ECCT’s Social Engineering Vulnerability Assessment Service provides a comprehensive review
to determine your company's level of security awareness concerning social engineering
issues and your organization's ability to resist such attacks, as specified by the latest FDIC, NCUA and FFIEC
regulations. By assessing the company’s defenses against
various forms of social engineering, appropriate actions can be taken in advance
to eliminate vulnerabilities before they can be exploited by
a real attacker.
Gramm Leech Bliley Act
Having worked with many financial institutions data processors, ECCT understands how your data processor affects the rest of your network, allowing
ECCT to make qualified recommendations to further enhance your network's security.
SOCIAL ENGINEERING CATEGORIES
|
|
|
|
IMPERSONATION & PERSUASION
|
|
This is the most common technique. Even the finest technical controls can
be rendered useless by a gullible or overly "helpful" employee. This attack
is typically made by telephone.
|
INTERNET / INTRANET & E-MAIL SPOOFING
|
|
With this attack, an apparently 'legitimate' e-mail
is sent to coax or pressure the recipient to reveal sensitive information, which is either
requested as a reply to the origional e-mail or a link to a "mirror" website masquerading as the real website. In either case,
an area to enter confidential information is provided.
|
UNAUTHORIZED PHYSICAL ACCESS
|
|
Using a combination of stealth and guile, the attacker will first attempt
to enter an employee entrance or public area in order to then penetrate
a protected area using deception and manipulation.
|
SANITATION RECONNAISSANCE
|
|
Also known as Dumpster Diving, this involves the exploitation of
sensitive information that was not properly disposed of. This information may be on paper or other media
and may include technical manuals, telephone numbers, bank statements
and other sensitive data.
|
SOCIAL ENGINEERING REPORT
ECCT’s Social Engineering Report is generated from interviews with management and
line staff, actual social engineering attempts and thorough data collection.
The report compares your current security policies with
recognized best practices and your actual resistance to such social engineering attacks.
DESCRIPTION OF SERVICES
ON-SITE SOCIAL ENGINEERING ASSESSMENT
- ECCT will create plan and implement a social engineering strategy for collecting
incrementally more sensitive levels of information. All information
aquired will be documented.
- The ECCT engineer will come onsite and attempt to access areas of your company
not available to the public and collect as much information as possible. All areas accessed
will be photographed and documented.
- ECCT personnel will rely on a variety of well-honed techniques to acquire information
using e-mail replies and phishing e-mails to mirror sites. All sensative information acquired
will be documented.
- On-site, the ECCT engineer attempt to acquire information from improperly
disposed documentation and media. All data retrieved will be documented.
- ECCT processes all data and generates a formal written report detailing the results.
- The complete report will include an Executive Summary and a Detailed Technical
Report with Recommendations.