• +44 (0)1273 454525
  • Call us
  • info@firstbase.co.uk
  • Email

Social Engineering Services

Why do I need a social engineering exercise?

Criminal hacking is no longer a purely technical activity. As awareness of technical security issues and their countermeasures has improved, attackers are increasingly employing other methods to circumvent security controls – such as exploiting unsuspecting users via social engineering.

The approach of purchasing individual “silver bullet” solutions like firewalls and IDS must be replaced by an holistic view of security that embraces technology, physical controls and people too. For no matter how effective network security controls may be, if an organisation falls victim to a well-executed social engineering attack, key business information assets will be at risk.

The problem is that staff awareness of social engineering tends to be weak, leaving most organisations open to abuse both remotely and in person. But how security aware are they? How do you test your “human firewall”?

Our Social Engineering Services

Our approach is a positive mechanism to drive cultural change within an organisation. When used as part of an internal security awareness campaign, it has been demonstrably effective in communicating the security message to staff at all levels of the business.

Below is an outline of the type of services we can undertake:

Online research to gain a background of the organisation, including:

  • Key employee names and roles
  • Employee LinkedIn profiles, Facebook pages, etc.
  • Employee dress codes
  • Known suppliers and utilities providers
  • Ownership and lessor of building (if appropriate)
  • Satellite view and street view of building
  • Investigation of remote access, company portals, etc.

Attempt to acquire sensitive and / or confidential information by telephone and email:

  • Identify target email addresses and telephone numbers
  • Call target employees to obtain information
  • Design a fake website to capture information from target individuals
  • Send personalised emails to each target to entice them to visit the fake website
  • Analyse the results to determine how many individuals visited the site
  • Analyse the results to determine what sensitive information was disclosed

Attempt to gain access to head office building:

  • Conduct on-site research and reconnaissance of target office
  • Identify weaknesses in building and office security
  • Check employee movements, dress codes, lunch breaks, etc.
  • Draft plan of on-premises attack, including roles for testers to impersonate
  • Create fake ID badges, business cards, props and uniforms as necessary (e.g. hi-visibility jacket, toolbox, etc)
  • Initial attempt at building access, update and adjust plan of attack as necessary
  • If successful, first tester attempts to facilitate access for second tester. If unsuccessful, second tester attempts access by alternate means

Attempt to connect to network and discover sensitive and valuable information:

  • Attempt to access network with laptop or remote-control device, or to subvert access using legitimate device
  • Attempt exfiltration of network data
  • “Plant a flag” to demonstrate that we have achieved access in a number of sensitive locations

Contact us for more information

Call us on +44 (0)1273 454525 or use our enquiry form