Cyber security: How to assess awareness of your staff

If there’s anything that last year’s high profile cyber attacks taught us it’s that internet security is not something anyone can afford to take lightly. Data breaches at credit rating agency Equifax led to the personal information of nearly 150 million people to be compromised, while the WannaCry ransomware attack in May infected computers and encrypted hard drive contents widely and all too easily, particularly among NHS systems. No wonder, then, that cybersecurity is big business.

To protect business-critical data and systems from attack, many companies choose to have their internal systems hacked ‘ethically’, asking trusted IT security experts to identify vulnerabilities and strengthen system resilience in anticipation of future attacks.

The ‘success’ of social engineering attacks

While reliable system security is crucial, it can only ever be as good as the weakest link – and that’s where the human element comes in. It only takes 1 out of 100 employees to open an email attachment containing malware, or innocently divulge confidential information in response to a covert phishing attack, and the best protection in the world can be breached.

Social engineering has proved to be an extremely effective hacking technique, since it feeds off a number of human weaknesses and virtues, such as greed, vanity, authority, compassion, and helpfulness, among others. Did you know that 30% of phishing emails are opened by the target – an enormous ‘return on investment’ for the cybercriminal? Or that 70% of user credentials are stolen within the first hour of a successful phishing attack?

It makes eminent sense, therefore that in addition to using security penetration testing on your data systems, you should also be pen testing your staff.

What is social engineering penetration testing?

Rather than outfox a computer system, social engineering penetration testing relies on the techniques used by professional ‘white hat’ hackers to trick staff into revealing sensitive information or carry out actions that create real security holes, which the hacker can then easily exploit. This can be done both on-site and off-site.

Remote social engineering pen testing may start with passive reconnaissance missions to see how much valuable company information is available in the public domain. Data mining and gathering Open Source Intelligence can yield plenty of useful data such as site rank, primary language, IP address, nameserver, hosting history and site technology.

The next step to actively engage with employees to get them to disclose information that’s intended for internal use only. In the case of phishing, an ethical hacker can make contact by

Phone (aka voice phishing or ‘vishing’): An example would be a phone call to the helpdesk by someone pretending to be a legitimate user, eg. Stephen from HR, with the aim of fraudulently obtaining the password to Stephen’s account.
Email: An employee receives what looks like a bona fide email informing them about an urgent action they should take. Examples could be an alleged critical security update or data breach, a lottery win or tax refund. The link that must be clicked for action is a file containing malware, giving the hacker access to the target employee’s corporate account.
SMS (aka ‘smishing’): The target employee receives an innocent looking text message on their phone, with a malicious link that they are tricked into clicking, giving the hacker access.

Onsite methods for social engineering penetration testing centre around gaining physical access to the building or premises, and can be implemented using the following techniques:

Impersonating a member of staff, eg. by wearing company uniform and carrying an ID card (borrowed or fake), pretending to be a delivery person with a package for a restricted area, posing as a candidate for a job interview or a new recruit and borrowing a real ID card, or impersonating a tech support worker to gain direct access to the company’s IT network.
Reverse social engineering, where the ethical hacker first gains the employee’s trust by, say, posing as an IT security expert who gives advice on how to guard against suspicious emails. The target employee will then voluntarily seek out the help of the pen tester, happy to divulge corporate sensitive information without suspicion.
Dumpster driving – literally going through office wastepaper baskets to look for discarded printouts that might contain valuable confidential information that should have been shredded or otherwise securely disposed of.
Leaving physical honeypots (containing malware) to tempt employees, such as unidentified (or temptingly labeled) portable data storage media that will lure staff to run the content on corporate computers.
Eavesdropping (this works both onsite and offsite), by listening in to staff communication via VoIP phones without permission, using phone traffic interception.

What can your company learn from pen testing staff?

Social engineering is the human side of penetration testing for corporate network vulnerabilities. It is designed to test employees’ adherence to corporate security policies and practices. As an essential complement to more traditional pent testing methods, effective staff pen testing should identify important security weaknesses in terms of

The ease with which an intruder could convince staff to break security rules, divulge information or provide access to sensitive data
The employee’s (lack of) awareness and knowledge of corporate security protocols and company policies
Urgent need for enhanced security training throughout the workforce, updated corporate policies, and protocols
Education and policies around the handling of sensitive data, including secure storage, authorized communication, and safe disposal.