Physical red-team testing
This type of testing involves a tester simulating an attacker who is attempting to gain physical access to an area restricted to employees or other authorized individuals. In many cases, Chris is successful at this testing just by being able to “blend” into the crowd. Additionally, he is able to leverage years of experience outside of the security industry when challenged by a client’s employee (even gaining access after hours by pretending to be a member of the janitorial staff).
This type of testing involves calling the client’s employees on the phone and eliciting sensitive information from them. This simulates an attacker who is either performing advanced reconnaissance or is trying to gain company credentials to be able to access systems remotely. After years of performing this type of testing, We have developed several different scenarios that an attacker might use. While testing the general user population is important, many organizations forget to test specific subsets of the employee community such as IT support or executives. We perform a more comprehensive test by including these parties.
Electronic (email, social media, etc.) testing
Electronic social engineering is what normally comes to mind when people hear “social engineering.” Specifically, they think of phishing emails or spam emails trying to get them to buy something they never asked for and don’t want (male enhancement, etc.). While spam is still a big problem for most general Internet users, attackers have discovered that more money can be made by targeting the message to an individual or group of employees of a company. For example, in the WSJ attack conducted by the Syrian Electronic Army, the attackers targeted employees of a web-content provider named Outbrain by sending the employees a spoofed email from the CEO. The email directed them to log in to a website and read a specific article. When the employees did this, the attackers were able to capture their credentials, allowing the attackers to gain access to an Outbrain portal where they could change content that was published on the WSJ website.
Social media is being used for this attack vector more and more frequently. A 2014 report by security firm, iSIGHT Partners, revealed that Iran has been conducting an operation called “newscaster” that targets US military and governmental staff through social networking. Since the world is communicating via more technologies than just email, the attackers are leveraging these means to compromise employee credentials and other sensitive and valuable information. Did you know that SMS (text) messages can be spoofed? While illegal in the United States, there exists technology that sends a SMS text message to a mobile phone user and makes it appear to have come from a trusted source, such as their service provider, family member or even bank or employer. Since smart phones have the ability to auto-launch a browser, links sent in a text message send the user to a phishing website. The theft of their credentials becomes easy for an attacker. Understanding these different attack vectors gives us the ability to help you protect your organization by simulating what these attackers do and educating your employees to the dangers of “taking the bait” in whatever form it is delivered.