Why is a Social Engineering Engagement so Important?
Common Reasons for Not Having a Social Engineering Engagement
- Compliance Drivers – Most compliance drivers do not specifically require social engineering to be completed. For example, PCI DSS 3.2 requires a variety of different testing, including External, Internal, and Web Application Penetration Tests, but says nothing about social engineering. While it may not be required, this is still one of the biggest threats to your organization and the information you are trying to protect. Also, consider the impact a data breach would have on your company’s reputation. Even if you are compliant with the regulation, our job as security professionals is to align our resources to protect against our largest threats. So it only makes sense that we should conduct testing focused on one of our biggest risks, our employees.
- Antivirus and Spam Filters – Many companies falsely believe they are protected by antivirus and spam filters. In truth, a well trained attacker can get past 9/10 antivirus solutions within 15 minutes. Additionally, spam filters are typically set up to protect against an email that is going to a large number of employees. An attacker who is specifically targeting your organization may send a spear phish email that will go to a single user, bypassing most traditional spam filters. Finally, even if you do feel these protections are sufficient, it is important to test the efficacy of your security controls. Just like you test your firewall to make sure it is working properly during an external penetration test, you should test your antivirus and spam solutions during a social engineering engagement.
- Well I already know my users are going to fall for it, so what is the point? Well, that is the entire point. If you know your users are going to fall for it, then you need to spend more time and resources to mitigate or reduce that threat. The common ways to reduce this threat are to segment your network, provide awareness training, and ensure your users are not local administrators. These changes, however, require organizational buy-in. One of the best ways to secure the resources and buy-in you need to address this threat is to demonstrate its impact. Having a social engineering report that shows an attacker was able to breach the network and gather sensitive information is a surefire way to get the support that you need. Also, in security awareness training either done by a third party or internally, use the information and screenshots from the social engineering engagement. This can help show your employees the threat directly, achieving an unprecedented level of understanding and buy-in from them.
Benefits of a Social Engineering Engagement
- Organizational Buy-In – We touched on this above, but a social engineering engagement is one of the best ways to boost organizational buy-in. By demonstrating the risk to the organization (the executives or management through the report, and the employees through awareness training) you are sure to get the organization to understand more fully what you’re up against. Clients who have regular social engineering engagements are less likely to fall for attempts in the future. As an added benefit, employees are much more likely to report social engineering attempts, allowing you to take action to block the threat before it is successful or spreads. One of the hardest things to do in an organization is to take away local administrator rights from users. “You mean I can’t install software, I have to put in a ticket?” Security teams are going to have a hard time getting the buy-in they need to make this change. However, with a third party report that says this has to be done and here is why, you have more leverage.
- Awareness Training – One of my favorite things I get to do as a penetration tester is to perform awareness training for organizations. Because as a hacker myself, I can tell them exactly what the threat is, how I would steal their password, and tell a few stories to make it interesting. During this awareness training, I like to include screenshots of the social engineering assessment we just performed. We hide the identity of who fell for it, because that is not necessary, but a blurred picture from a webcam does wonders to scare employees to thinking twice before clicking on a link. I have yet to come out of a security awareness training without at least one employee telling me that was the most useful hour meeting they have had yet.
- Align your Priorities – As we discussed above, a typical organization will spend the majority of their resources in protecting the perimeter, but will fall short when it comes to the internal network or being able to detect an ongoing attack. In most cases, once I gain access to an organization’s internal network, it is pretty much a guarantee that I will get domain administrator permissions, get to the data they are trying to protect, and take over their network. By performing a social engineering engagement, it is easy to demonstrate that priorities need to be realigned. Perhaps the next project should be focused on beefing up the Incident Response process, or network segmentation.