A social engineering assessment is a simulated test which aims to measure the information security awareness levels of an organization’s personnel by exploiting its employees natural humanly tendencies of trust, friendliness, pre-conceived assumptions, authoritative biases, emotional needs, among others. In Social engineering tests, the assessment team attempts to make direct contact with targets, either by telephone or in person or sometimes even through physical access of restricted areas within the organization.
The assessment uses psychological manipulation to deceive people into performing adverse actions like clicking on fabricated links, opening malicious attachments, sharing personal details and divulging confidential information about the organization. During the test, the social engineering team develops user-context specific pretexts that are familiar to targeted employees, and then uses their trust to lure them into taking unwarranted actions. Such tests often completely bypass technical security controls.
The ultimate impact of a real-world social engineering includes complete compromise of organization including business data, employee information, emails, credentials, source code, customer data, etc.
The GRC360 Social Engineering services assist our customers in assessing the ability of the organisation’s systems and personnel to detect and respond to targeted social engineering attacks. The assessment is planned in close coordination with the customer point of contact to ensure that the testing is performed in a controlled manner. By simulating the tactics, techniques and procedures (TTP’s) used by adversaries, our comprehensive assessments aim to review the technical/process/people controls implemented within the organization. The outcomes from such assessments include:
The various types of social engineering services that we provide, include:
The flow of our social engineering assessment is as follows:
Based on the requirements of our customers, our social engineering assessments are designed to meet user awareness evaluation and training requirements of benchmarks such as: