One of the biggest gaps I see in information security is that organization’s spend the majority of their budget on securing the perimeter of their network, and fail to consider the impact of social engineering. Think about it, how much has your organization spent on a firewall? Do you have an IPS? How about a DLP monitor? Does your organization regularly perform external vulnerability scans or penetration tests? Don’t get me wrong, these are all great things, and important to securing your network from an outside attacker. However, the attacker who wants to break into your network is not dumb. An attacker is going to go after the low hanging fruit, which are the employees most of the time. It is no wonder then that almost half of all data breaches happen as a result of social engineering according to the 2017 Verizon DBIR. With a single click, an attacker has effectively bypassed the majority of the security protections you have in place, and now it is just a matter of elevating permissions and finding the sensitive data. That is why it is so important to test your organization through a social engineering engagement.
Common Reasons for Not Having a Social Engineering Engagement
Here are some of the common reasons we hear for customers who choose to forgo a social engineering engagement as part of their penetration testing and why that might be a bad idea.
- Compliance Drivers – Most compliance drivers do not specifically require social engineering to be completed. For example, PCI DSS 3.2 requires a variety of different testing, including External, Internal, and Web Application Penetration Tests, but says nothing about social engineering. While it may not be required, this is still one of the biggest threats to your organization and the information you are trying to protect. Also, consider the impact a data breach would have on your company’s reputation. Even if you are compliant with the regulation, our job as security professionals is to align our resources to protect against our largest threats. So it only makes sense that we should conduct testing focused on one of our biggest risks, our employees.
- Antivirus and Spam Filters – Many companies falsely believe they are protected by antivirus and spam filters. In truth, a well trained attacker can get past 9/10 antivirus solutions within 15 minutes. Additionally, spam filters are typically set up to protect against an email that is going to a large number of employees. An attacker who is specifically targeting your organization may send a spear phish email that will go to a single user, bypassing most traditional spam filters. Finally, even if you do feel these protections are sufficient, it is important to test the efficacy of your security controls. Just like you test your firewall to make sure it is working properly during an external penetration test, you should test your antivirus and spam solutions during a social engineering engagement.
- “I already know my users are going to fall for it” – Well, that is the entire point. If you know your users are going to fall for it, then you need to spend more time and resources to mitigate or reduce that threat. The common ways to reduce this threat are to segment your network, provide awareness training, and ensure your users are not local administrators. These changes, however, require organizational buy-in. One of the best ways to secure the resources and buy-in you need to address this threat is to demonstrate its impact. Having a social engineering report that shows an attacker was able to breach the network and gather sensitive information is a surefire way to get the support that you need. Also, in security awareness training either done by a third party or internally, use the information and screenshots from the social engineering engagement. This can help show your employees the threat directly, achieving an unprecedented level of understanding and buy-in from them.
Benefits of a Social Engineering Engagement
- Organizational Buy-In – We touched on this above, but a social engineering engagement is one of the best ways to boost organizational buy-in. By demonstrating the risk to the organization (the executives or management through the report, and the employees through awareness training) you are sure to get the organization to understand more fully what you’re up against. Clients who have regular social engineering engagements are less likely to fall for attempts in the future. As an added benefit, employees are much more likely to report social engineering attempts, allowing you to take action to block the threat before it is successful or spreads. One of the hardest things to do in an organization is to take away local administrator rights from users. “You mean I can’t install software, I have to put in a ticket?” Security teams are going to have a hard time getting the buy-in they need to make this change. However, with a third party report that says this has to be done and here is why, you have more leverage.
- Awareness Training – One of my favorite things I get to do as a penetration tester is to perform awareness training for organizations. Because as a hacker myself, I can tell them exactly what the threat is, how I would steal their password, and tell a few stories to make it interesting. During this awareness training, I like to include screenshots of the social engineering assessment we just performed. We hide the identity of who fell for it, because that is not necessary, but a blurred picture from a webcam does wonders to scare employees to thinking twice before clicking on a link. I have yet to come out of a security awareness training without at least one employee telling me that was the most useful hour meeting they have had yet.
- Align your Priorities – As we discussed above, a typical organization will spend the majority of their resources in protecting the perimeter, but will fall short when it comes to the internal network or being able to detect an ongoing attack. In most cases, once I gain access to an organization’s internal network, it is pretty much a guarantee that I will get domain administrator permissions, get to the data they are trying to protect, and take over their network. By performing a social engineering engagement, it is easy to demonstrate that priorities need to be realigned. Perhaps the next project should be focused on beefing up the Incident Response process, or network segmentation.
The Cost of an Assessment
The cost of social engineering varies depending on the number of users you would like us to target. We typically recommend starting with a 10% sample of your employees, but we can customize this number based on your particular organization. In our base social engineering assessment, we will use phone-based social engineering for 5 employees, do targeting spear phishing for 5 employees, and then send a bulk phishing campaign to 25 users. The base cost for a social engineering assessment is ~$4,500. Feel free to reach out if you’d like to discuss more or get a customized quote for this.