Social Engineering – Encyphr

Social Engineering Breaches

Malicious actors have a greater chance of successfully breaching a network infrastructure through social engineering than through traditional network/application exploitation. To help you prepare for this type of attack vector, we use a combination of Human and Electronic methodologies to simulate attacks. Human-based attacks consist of impersonating a trusted individual in an attempt to gain information and/or access to information or the client infrastructure. Electronic-based attacks consists of using complex phishing attacks crafted with specific organizational goals and rigor in mind. Encyphr customizes a methodology and attack plan specifically for your organization.

Human Social Engineering

The Human category of Social Engineering includes infectious media drops, physical security, dumpster diving, impersonation, and other attacks that require a physical presence. This is a type of testing that includes far too many variables for us to publish a flat price. Please contact us for a discussion of your requirements, and we'll provide a quote. Human Social Engineering is usually conducted in conjunction with an Internal engagement.

Electronic Social Engineering

The Electronic category includes email based spear-phishing attacks and other electronic attacks intended to bait network and security personnel. This testing requires a great deal of research on individual targets to be effective, and also requires serious attention to morale considerations and safety considerations, especially where electronic payloads are involved. Electronic Social Engineering is the type of Social Engineering indicated within our pricing. It is usually conducted in conjunction with an External engagement.

Email Phishing

Exploiting relaxed email security and procedures. Introduction of attached vectors and links.

Exchanges of sensitive information over email happen almost constantly, day in and day out. Yet, even organizations with hardened security protocols hardly make sure that email exchanges go through the proper channels for authentication and authorization. Our social engineering testing uses email phishing and spear-phishing to target staff into visiting unknown websites, divulging sensitive information or getting them to perform an action they otherwise should not be.

Telephonic Vishing

The telephone is one of the most powerful attack vectors. We use it to exploit weaknesses.

Similar to email, exchanges of sensitive information over the phone happen at an almost constant rate. In today's changing social culture, the mindset that a telephone call is enough to authenticate a person is all too common. However, bad actors are moving away from email toward telephone social engineering. Encyphr uses telephone social engineering to target staff into divulging sensitive information or otherwise getting them to engage in an action that should not be performed.

Onsite Engineering

Face-to-face engagement masquerading as vendors, staff, and trusted partners. People are the weakest link.

During a physical social engineering engagement, encyphr engages staff directly (overt) or indirectly (covert) in an effort to identify weaknesses in the way they physically handle visitors and those pretending to be employees, vendors or business partners. Our physical social engineering consultants masquerade as vendors, new employees, business partners and more in order to entice staff into divulging sensitive information or permitting access to sensitive areas of the facility.

What is the Purpose of Social Engineering?

A social engineering test is a simulated attack from the perspective of a bad actor, such as a malicious hacker. The purpose is to simulate a cyber security in a way to circumvent traditional security protocols. It’s an attack and attempt to uncover security vulnerabilities that might otherwise be discovered by hackers. This type of attack provides valuable insight into the security posture of assets and the opportunity to address them before hackers are able to cause serious damage by exploiting them.

Hackers who use social engineering are constantly coming up with new means of attack; that’s why it’s so important to work with third-party testing professionals who are on the cutting edge of the latest attack trends, rather than relying on a DIY social engineering approach alone.