Social engineering is the art of manipulating people into performing actions or divulging confidential information. Redhawk Network Security provides both remote and onsite social engineering prevention services. Tests include social engineering attacks by physical and technical approaches. The goal is to determine if controls are in place to prevent unauthorized disclosure of information.
Social Engineering Prevention Services
- Phishing attack – A phishing attack will be performed by sending a spoofed email that appears to be from your organization. The message will include a link to a website with your organization's identity. The web page will request sensitive information and ask the employee to download software. The results will be monitored to determine the number of responses.
- Telephone pretexting attack – The objective is to verify compliance with policy prohibiting surveys and to obtain password policy information or passwords. The social engineer will contact users by telephone on the pretext of an information systems support task.
- On-site impersonation – By masquerading as a third party vendor or employee an attempt is made to obtain unauthorized access or acquire confidential information.
- Physical security review – A review from the social engineering perspective includes the disposal of paperwork, disposal of computer media, clear desk / clear screen usage, use of security cameras, usage of locking facilities, badge usage, escorted third parties, physical access controls and public access areas.
- USB attack – A scenario in which auto-run USB drives containing a simulated malicious program runs when the drive is plugged into a user's computer. Drives are placed in strategic locations. In the test scenario, the program will not install anything permanent or malicious. The drive only connects to a server on the Internet to collect information about the connecting workstation to validate a successful test.