SOCIAL ENGINEERING AUDIT

Social Engineering is a collection of those types of attacks which rely on the weaknesses of the human factor as the weakest element of security, and try to acquire sensitive information with the ability to cause real business loss to a company or organization. The only effective defense option against these attacks lies in the security awareness level of the employees – assessment and targeted development of the security awareness level, as well as identification of imperfections and non-compliances in the relating regulations.

In the framework of GRID Ltd’s Social Engineering audit service the current security awareness level of employees can effectively be assessed and developed – security aware co-workers do not only have a role in risk mitigation of security incidents, but also represent business advantage.

 

During the audit, next to the imperfections in information security knowledge and areas for improvement we also identify the following:

  • non-compliances and areas of development in the implemented defense measures, and
  • in the current regulation, and
  • in the used processes.

How dowe support our clients?

  • By collecting publicly available and potentially useful information (for an attacker) about the organization and its employees.
  • Within Social Media Engineering we assess how resistant employees are against attacks carried out via social media platforms.
  • We assess the physical security level of the organization’s premises and carry out unauthorized intrusion attempts.
  • Inside the facility we inspect the following of information security instructions and regulations.
  • We evaluate the chances of steeling data and devices.
  • We make an attempt to gather confidential or sensitive information during our stay in the facility.
  • We perform phone attacks trying to mislead employees, attempting to gather passwords or documents holding sensitive information.
  • We evaluate the chances of spreading malwares and human factor related risks by the sending of files and links simulating infection.
  • Within a phising attack we attempt to gather company user names and passwords of employees.

Audit results

Results of the Social Engineering Audit serve as a basis for the development and improvement of further security measures, while it also increases the effectiveness and efficient use of these measures. Moreover, results can be presented as real examples on a security awareness training. Based on our experiences, employees of companies where a Social Engineering audit had been carried out with the results presented, tend to change their attitude towards information security and increase their level of security awareness.

Within the framework of an audit the following documents are prepared:

  • Audit Report including:
    • Presentation of the simulated attacks and its results
    • Identified imperfections and non-compliances
    • Options and proposals for development
    • Evidences
  • Social Engineering risk analysis

Services

Points of assessment of Social Engineering audits, based on our experiences, have been divided into four service packages:

  • Minimal audit

Introductory type of audit with the main goal to call attention to basic security awareness deficiencies, missing or incorrect defense measures. The service package can be expanded following the audit, but the results of the minimal audit can be used effectively in themselves for helping raise security awareness level.

  • Basic audit

Audit points of the present package include the most commonly used attack techniques targeting the employees. The aim of the audit is to present results with the help of which security measures and security awareness level of employees can be effectively developed.

  • Proposed audit

The “Proposed” package includes a complete audit program put together based on best practices and our own experiences, suitable for exploring human factor related security risks in the organization in detail. During the carry-out of the audit tasks information security related regulations are also reviewed and commented.

  • Complete audit

Within the framework of the complete audit we carry out a deep and comprehensive analysis and identification of risks connected to the misuse of human qualities. During the audit we put special emphasis on Social Media and other new trends in order to be able to identify and mitigate the related risks in time.

Next to the above we also offer individual programs planned and carried out according to our partners’ special needs, based on a consultation and special offer.