Social engineering is the application of social engineering tactics to influence people into disclosing sensitive information without trust. This process takes advantage of the target’s vulnerability and emotional response to make them cooperate and give up sensitive information for rewards. There are different ways by which an organization can be attacked through social engineering. Some of the techniques are physical, logical, cultural, informational and personal.

Security vulnerability Testing examines how easily people can be compromised. There are different types of security vulnerabilities and each has a different effect on an organization. For instance, information technology (IT) penetration tests the level of an organization’s ability to protect its sensitive information like credit card numbers, passwords, and other financial information. Computer network security tests the integrity of networks and their applications that connect the computers of multiple business and government entities.

Psychological attacks refer to psychological attacks on an individual like emotional attacks and social engineering attacks. These attacks may take place through the employment of manipulative tactics, devious plans, trickery and persuasion. Psychological attacks can be perpetrated by employees, customers, suppliers and even government and military personnel. Security vulnerabilities in human errors can also allow attackers access to networked computers. Network attacks are conducted through worms, Trojans and viruses that execute different types of attacks in an instant and can penetrate various networks.

Social Engineering Test

Behavioral Testing is a type of cyber security attack that examines the behavior of an attacker or hacker. Cyber criminals and hostile hackers often have specific routines and strategies. Through behavioral testing, an organization can determine which of these strategies are used by a hacker and which methods are employed by a security professional. It tests a company’s response time, operation procedures, and employee familiarity with a specific crime or attack. Companies conducting a social engineering test should prepare a detailed report on the incident and review it with a representative from the National Cyber Security Association (NCSSA).

A typical cyber security attack or social engineering test will include the following elements: a website or network compromise, a data insertion or extraction attempt, phishing attempt or fraud, and remote control vulnerability testing. A website or network compromise refers to hackers accessing a company’s confidential information and attempting to gain access to a system. Data insertion or extraction attempt refers to hackers gaining access to a system without authorization by using a spear phishing or data theft technique. Phishing attempt refers to fake emails or links that are sent to employees requesting for sensitive personal and financial information such as bank account numbers, credit card numbers, passwords and other important information. Remote control vulnerability testing is performed by security professionals to test the security of networked computer systems. It typically requires the addition of exploits or coding to a system through which hackers gain access to software applications or systems.

Social engineering penetration tests are conducted to assess the security of IT infrastructure, including network, server, and application security. It is often used in complex corporate and government strategic planning, and in supply chain management to evaluate security at the point of purchase. Penetration testing is an ethical way of assessing the level of threat from a specific application or system. Ethical testing can also be used to gain insight into the inner workings of a company’s firewall, or to help ensure the company is complying with industry regulations regarding firewalls and other security measures.

Tags: social engineering test, security assessment, white hat hackers, offensive security, flaw hypothesis methodology