Penetration Testing and Your Employees

What do you think is the biggest cyber risk factor in your organisation? If your answer were your employees, you’d be right. The toughest security system on the planet can’t protect you if your staff leaves the door open to cyber criminals. Using this weak link to access an organisation’s information system is called human hacking or social engineering. Hackers use psychological tactics to manipulate your employees into taking a specific action, whether paying a supposedly urgent invoice, sending sensitive data or granting privileged network access.

Social engineering attacks are evident in 98% of cyber crime.

This is a sign that this approach is both simple and highly effective. Think about it: why would a hacker spend hours hunting for an elusive secret entrance if they can convince someone inside to open the door?

Playing War Games With Your Employees

Penetration Testing is a way of practising war on your system to identify where your flaws are. Social engineering Penetration Testing does the same thing, but focuses on your employees instead of your network.

• How susceptible are they to phishing emails?
• Would they plug in an unknown USB stick?
• Can they be manipulated to send a file or pay a bill without following the proper security protocols?

Different types of social engineering Penetration Testing techniques can help you discover cyber user awareness in your organisation. Let’s examine how we might hack your employees.

Off-Site Social Engineering Penetration Testing

There is a startling amount of personal data available on the internet. With just a few minutes spent browsing your social media profile, a hacker would likely know your date of birth, your kid’s date of birth, where you live, your job history and – if you’re the kind of person who fills out and posts surveys – your first pet’s name, your favourite book, film, teacher, etc. All of which could be used to hack your password. A pen tester and a hacker would begin with this simple search, since it’s the easiest and best place to start. Then, having developed a profile of their target, they could commence their phishing campaign.

What is Phishing?

Phishing is the most common form of social engineering. It is typically conducted via email, but could also occur over the phone or via SMS.

For example, you might receive an email saying that one of your online shopping accounts has been compromised and requesting that you change your password. By following the link the hacker provides, you give them access to your password, your payment details, and whichever other sensitive information is stored on the site.

An SMS alternative might be a text message asking you to call a number or send a reply, for example, to reinstate a ‘closed’ account. The result? You could be looking at anything from high charges on your bill to malware collecting all the personal information from your phone. Phone phishing scams are frighteningly common. A typical example would be a phone call claiming to be from your bank, warning of unusual activity on your account, and urging you to move your money into a ‘safe’ account. They give you the details; you lose your money.

You’ll notice a common thread across these examples – fear. Hackers will make their victims feel that they have to act immediately, which means they are less likely to stop and question whether the action they are being told to take sounds legitimate.

Penetration testers will use these same tactics with your employees to determine their susceptibility.

On-Site Social Engineering Penetration Testing

Penetration Testers apply various techniques for on-site engagement to gain physical access to your offices. These kinds of attacks are carried out in several ways.

• Imagine a guy shows up at reception claiming to be an engineer from your cyber security provider. He has a badge. He looks the part. Would your staff let him in? This kind of test examines whether your security protocols are up to par.
• Reverse social engineering. In this scenario, the victim appears to go to the attacker of their own volition. Sounds ridiculous? The trick is that an ethical hacker first uses a traditional social engineering attack to establish trust-based relations (for example, impersonating someone who advises on how not to fall prey to social engineering attacks). As a result, victims reveal a lot more corporate-sensitive information because they go to the hacker themselves. Could your staff be fooled that way?
• Dumpster diving. What sensitive information is hidden in your bin? Hackers are not above going through your rubbish to find any sensitive corporate information and your penetration testers will do the same.
• USB dropping. If your employees noticed a random USB drive they didn’t recognise, would they plug it into their computer to find out what is on it (despite the risk that it might contain malware)? Let’s find out!
• Unauthorised listening to staff’s communication via VoIP phones using phone traffic interception – can it be done, and what value would a hacker find in it?

Benefits of a Social Engineering Penetration Test

Social engineering is a key component of modern cyberattacks. It therefore has to be a part of your penetration test. A social engineering Pen Test can reveal much about your employees’ cyber security awareness levels and compliance with security policies.

• Do they need more training?
• Do they need more of an incentive to comply?
• Are they aware of the risks their behaviour poses for the entire organisation?

Cyber user awareness is integral to the success of any cyber security and improvement programme. If the pen-test report reveals significant gaps in knowledge, it will be well worth investing in more training to plug those holes. Employees will always remain an important security vulnerability, but with the right training and ongoing vulnerability management, they can also be your first line of defence.