Home / Blog / General / Penetration testing and your employees

November 25, 2019

What do you think is the biggest cyber risk factor in your organisation?

If your answer was your employees, you’d be right. The toughest security system on the planet can’t protect you if your staff are leaving the door wide open to cyber criminals.

The process of using this weak link to access an organisation’s information system is known as human hacking or social engineering. Hackers use psychological tactics to manipulate your employees into taking a specific action – whether that be paying a supposedly urgent invoice, sending sensitive data or granting privileged network access.

Social engineering attacks are evident in 98% of cyber crime.

This is a sign that this approach is both simple and highly effective. Think about it: why would a hacker spend hours hunting for an elusive secret entrance if they can convince someone inside to open the door?

Penetration testing and your employees

Playing war games with your own employees

Penetration testing is a way of practising war on your own system to identify where your flaws are. Social engineering penetration testing does the same thing, but focuses on your employees instead of your network.

  • How susceptible are they to phishing emails?
  • Would they plug in an unknown USB stick?
  • Can they be manipulated to send a file or pay a bill without following the proper security protocols?

There are different types of social engineering penetration testing techniques to help discover cyber user awareness in your organisation. Let’s take a look at how we might hack your employees.

Off-site social engineering penetration testing

There is a startling amount of personal data available on the internet. With just a few minutes spent browsing your social media profile, a hacker would likely know your date of birth, your kid’s date of birth, where you live, your job history and – if you’re the kind of person who fills out and posts surveys – your first pet’s name, your favourite book, film, teacher, etc. All of which could be used to hack your password.

Both a pen tester and a hacker would begin with this simple search, since it’s the easiest and best place to start. Then, having developed a profile of their target, they could commence their phishing campaign.

What is phishing?

Phishing is the most common form of social engineering. It is typically conducted via email but could also occur over the phone or via SMS.

For example, you might receive an email saying that one of your online shopping accounts has been compromised and requesting that you change your password. By following the link the hacker provides, you give them access to your password, your payment details, and whichever other sensitive information is stored on the site.

An SMS alternative might be a text message that asks you to call a number or send a reply – for example, in order to reinstate a ‘closed’ account. The result? You could be looking at anything from high charges on your bill to malware collecting all the personal information from your phone.

Phone phishing scams are frighteningly common. A typical example would be a phone call claiming to be from your bank warning of unusual activity on your account and urging you to move your money into a ‘safe’ account. They give you the details; you lose your money.

You’ll notice a common thread across these examples – fear. Hackers will make their victims feel that they have to act immediately, which means they are less likely to stop and question whether the action they are being told to take sounds legitimate.

Penetration testers will use these same tactics with your employees to see whether they are susceptible.

On-site social engineering penetration testing

During an onsite engagement, penetration testers apply various techniques to gain physical access to your offices. There are a few ways in which these kinds of attacks are carried out.

  • Imagine a guy shows up to reception claiming to be an engineer from your cyber security provider. He has a badge. He looks the part. Would your staff let him in? This kind of test examines whether your security protocols are up to par.
  • Reverse social engineering. In this scenario, the victim appears to go to the attacker of their own volition. Sounds ridiculous? The trick is that an ethical hacker first uses a traditional social engineering attack to establish trust-based relations (for example, impersonating someone who gives advice on how not to fall prey to social engineering attacks). As a result, victims reveal a lot more corporate-sensitive information because they go to the hacker themselves. Could your staff be fooled that way?
  • Dumpster diving. What sensitive information is hidden in your bin? Hackers are not above going through your rubbish to find any sensitive corporate information that may be hiding there – and so your penetration testers will do the same.
  • USB dropping. If your employees noticed a random USB drive that they didn’t recognise, would they plug it into their computer to find out what is on it (despite the risk that it might contain malware)? Let’s find out!
  • Unauthorised listening to staff’s communication via VoIP phones using phone traffic interception – can it be done and what value would a hacker find in it?

Benefits of a social engineering penetration test

Social engineering is a key component of modern cyber attacks. It therefore has to be a part of your penetration test.

A social engineering pen-test can reveal a lot about the cyber security awareness levels of your employees, and their level of compliance with existing security policies.

  • Do they need more training?
  • Do they need more of an incentive to comply?
  • Are they aware of the risks their behaviour poses for the entire organisation?

Cyber user awareness is integral to the success of any cyber security and improvement programme. If the pen-test report reveals significant gaps in knowledge, it will be well worth investing in more training to plug those holes. Employees will always remain a significant security vulnerability, but with the right training and on-going vulnerability management, they can also be your first line of defence.

Further reading

About Comtact Ltd.

Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).

Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.