SOCIAL ENGINEERING EXERCISE

Service Description

Just about every major security breach that has been featured in the news of the past decade has involved a social engineering component – Target, Sony, JP Morgan, etc. Coupled with technical penetration techniques, the two attack vectors provide a lethal recipe for successfully breaching an organization and gaining unauthorized access to sensitive information. Social engineering is typically the piece that gives the attacker a foothold within the organization from where they can propagate their attacks to gain real access to sensitive information. 

Our Methodology 

Beyond just phishing, the Social Engineering exercise targets the human element using multiple attack vectors to test awareness of users to potential security threats. CAG conducts simulated phishing, planted media, pretext calling, and social networking attack against a sample of the organization's users. Some companies prefer that the entire workforce be tested, others prefer that a representative sample be used. CAG consults with the client during the proposal process to select the most appropriate sample size.

After completion of the assessment and analysis, a report will be prepared that contains summary information, graphical data, and detailed technical analysis along with action items to facilitate remediation. Before any final deliverables are submitted, CAG will engage key team members to review draft reports and to discuss results and incorporate relevant feedback and context into the report. This hands-on process will allow the organization to derive the maximum value from the assessment and associated report, and ensures that all concerns are addressed appropriately. 

Highlights include the following:
  • Social engineering 
  • Simulated attacks 
  • Phishing 
  • Planted media (mail, USB-drops, etc.) 
  • Pretext calling 
  • Social networking 
  • Tailgating (optional) 
  • Security awareness 

Targets include the following: 
  • Employees 
  • Users 
  • Managers 
  • Departments (HR, finance, administration, customer service/support, engineering) 
  • Knowledgeability about security 

Note: Tools may include call scripts, phishing templates, pseudo-malware (non-destructive, memory-only script that simulates malware and informs CAG when documents are opened). 

Scope: CAG, together with client, will select a representative sample of individuals for social engineering testing across the organization. 

Our Deliverables

In addition to the usual status updates and meetings, we will deliver the following:
  • Social Engineering Report including summary information, graphical data, and detailed technical analysis along with action items to facilitate remediation

Tailored Training & Workshops
 
CAG develops cutting-edge, tailored training based on the unique needs of each client. Some recent investment areas include:
  • Proactive Hunting for Cyber Adversaries
  • Open Source Intelligence & Monitoring
  • Secure Coding Techniques Workshop
  • Log Aggregation, Analysis and Orchestration
  • IoT Vulnerability Research
  • Code Audit of Key Management Systems
  • Malware Analysis & Reverse Engineering
  • Media Forensics and Device Attribution
  • Bulletproofing Amazon Web Services (AWS)
REQUEST MEETING