Social Engineering Penetration Test is designed to imitate the attacks that malicious social engineers will use to breach companies and to measure the effectiveness of the Information Security Awareness of its employees.
It is the practice of attempting typical social engineering scams on a company’s employees to ascertain the organization’s level of vulnerability to that type of exploit. Social engineering as a part of penetration testing has become a massive interest of organizations.
They are designed to test employees’ adherence to the security policies and practices defined by management. Testing should provide a company with information about how easily an intruder could convince employees to break security rules or divulge or provide access to sensitive information. The company should also get a better understanding of how successful their security training is and how the organization stacks up, security-wise, in comparison to their peers.
It may be conducted as part of more comprehensive penetration tests (pen tests). Like ethical hacking methods, the tests themselves generally replicate the types of efforts that real-world intruders use.Here are the few steps a Social Engineering tester follows:
Social engineering has become one of the more prevalent attack methods in use today, and has been featured heavily in some high-profile breaches. For organizations to adequately model the real threats they face, social engineering penetration testing should be a mandatory tactic in every pen testing toolkit.
Social engineering relies heavily on psychology. There are few social engineering techniques that pen testers can use to test an organization’s security: phishing, pretexting, media dropping and tailgating. Company’s employ a number of techniques to include all methods of phone, Internet-based, and onsite engagements.
Remote Social Engineering engagement:
The remote Social Engineering engagement involves the manipulation of the organisations by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI (Non-Public Personal Information) or other confidential information.
The remote engagement techniques: Phishing
Phishing involves sending an email to a user in order to persuade the user to perform an action. The goal of most phishing emails in a pen testing project is simply to entice the user to click something and then record that activity, or to actually install a program as part of a larger penetration testing effort. In the latter case, exploits can be tailored to client-side software known to have problems, such as browsers and dynamic content/media plug-ins and software.
The key to a successful phishing campaign is personalization. Tailoring the email to the targeted user, such as by sending it from a trusted source by increasing the likelihood of the user reading the email or following some direction in the email. A good pen tester will always remember to check spelling and grammar; a well-written email, even a short one, will be much more believable.
Probably the best-known tool for creating phishing attacks is the open source Social Engineering Toolkit (SET). With its menu-driven email and attack-creation system, it’s one of the simplest ways to get started with phishing. Commercial tools like PhishMe Inc.’s PhishMe and Wombat Security’s PhishGuru can also be useful.
The remote engagement techniques: Pretexting
Pretexting involves telephoning the target and trying to solicit information from him or her, usually by pretending to be someone that needs assistance. This technique can work well in a penetration testing project by targeting non-technical users who can provide useful information.
The best strategy is to start with small requests and drop names of real people in the organization that may be waiting for something. In the pretexting conversation, the pen tester explains they need the target’s help. Once rapport has been established, the pen tester can ask for something more substantial with more success.
Reconnaissance before the pretexting exercise, using Google and tools like Paterva’s Maltego, can provide needed background information. Phone-masking/proxying tools like SpoofCard (a subsidiary of TelTech Systems) and SpoofApp from SpoofApp.com LLC, as well as Asterisk PBX add-ons from Digium Inc., can disguise the pen tester’s phone number, even making it appear to come from the organization’s own number block.
The Onsite engagement techniques: Media dropping
Media drops usually involve a USB flash drive left somewhere conspicuous, like a parking lot or building entrance area. The social engineer places an interesting-sounding file on the flash drive that launches some sort of client-side attack when opened.
One free tool for creating these files is Metasploit, with its built-in malicious payload generators. The “Infectious Media Generator” option in SET also utilizes Metasploit, but helps automate the process. SET can create a “legitimate” executable that executes automatically when Auto run is enabled on a target’s PC. Using automatic execution techniques and interesting-sounding files together can increase the chances of success.
A more sophisticated approach to performing a media drop as part of a pen testing project is to develop custom attacks and programs on a USB drive, or to purchase USB drives that are pre-built for this purpose. To increase the success of USB attacks, add both automated exploits and attack-laden files to the device (PDF, Word and Excel formats are best). Labelling the device with an interesting sticker, like “HR Data” or “Employment”, can help, too.
The Onsite engagement techniques : Tailgating Or Physical Testing:
Tailgating involves getting into a physical facility by coercing or fooling staff there, or just walking i.e itmight involve a tester trying to enter a secured building at a time when many employees are entering, perhaps talking on a phone and carrying multiple items to see if someone just holds the door open rather than adhering to the approved procedure of letting the door close after them so any person following must use an employee card or badge for entry or a “Trusted Authority” disguises, such as fire inspectors, air conditioning repairman, pest control man, etc.Usually the focus of these tests is to demonstrate that the pen tester can bypass physical security.
Pen testers should plan to procure sensitive data or install a device quickly to prove they were successful, as they may have only a short window of time before needing to leave the facility. The pen tester can take pictures of exposed documents left on printers or desks, or install a pen testing drop box device to provide Wi-Fi or 3G network access back to the environment later.
By using these social engineering techniques, the pen tester can uncover an organization’s vulnerabilities and then recommend security controls and education techniques that will reduce the odds of an organization falling prey to malicious social engineering attacks.