The news is replete with instances of social engineering, from malicious emails to phone calls to snail mail purporting to be from the IRS. In one particularly notable example, phishers managed to convince John Podesta of the Hillary Clinton campaign to give up his credentials, leading to some rather embarrassing leaks of internal information at a critical time in the campaign.
What is social engineering? Simply put, it’s “people hacking.” We see it at work in the form of those ridiculous emails from the Nigerian prince offering to send us money, or more clever ones like the Google Docs scam. Sadly, yet another form is the advantage taken of the elderly by swindlers claiming to be from this or that organization. In all cases, the goal is simple: convince a human to do something foolish.
Nearly every organization is susceptible to social engineering; we have never seen a 100% success rate in repelling our tests. With even a single failure, your business may be at risk by giving attackers a backdoor into your network, or in convincing someone to cough up valuable organizational information.
Alasdair offers solutions to help curb the growing threat of social engineering:
- Social Engineering Testing: we work with you to devise targets and attack vectors to assess your organization’s response to a targeted, well-crafted threat, or even something more obvious and mundane
- Social Engineering Training Programs: we will work with your organization to determine your specific needs and help you develop a training program for you – not for someone LIKE you, but for you specifically. This includes getting the involvement of multiple parts of the organization so that the training is comprehensive and focused
In addition to specific social engineering solutions, we can help you should the worst happen and you indeed become a victim of a social engineering attack:
- Post-attack analysis: helping to determine what happened, what the attack vector was and even reverse-engineering any malware or sites should the need arise
- Collection of data and forensic services: both Alasdair and our partners can provide detailed forensic acquisition and analysis services in cases where prosecution might be pursued, such as the case of an insider threat
- Defining and testing of incident response programs: once an incident has happened, organizations typically are interested in bolstering their incident response plans to address future issues. Testing those response plans is also key, and we can assist with those needs
While it’s certainly preferable to help head off social engineering threats before they happen, it’s never too late to bring in a trusted partner to help deal with one that managed to get through. Alasdair stands at the ready to help educate and test, or put things back together.