Social engineering assessments

Professional industrial espionage often involves physical attacks or insiders, even if the target is in cyber space. Nevertheless, this attack vector is frequently underestimated.

Social Engineering Assessment
This video will be loaded from YouTube while playing. By clicking here you accept the data protection declaration of HVS Consulting / IS-FOX and YouTube.

Social engineering: attacks via unexpected paths

Many companies focus on protecting themselves against attacks from cyber space by securing their systems, setting up security monitoring and sensitizing their employees to phishing e-mails.

However, attackers can also take unexpected paths, depending on their motivation and capabilities: on site, it is easy for an attacker to obtain internal information, and if things get complicated, they can simply ask.

Se Assessment

Manipulating people by using psychological tricks is called social engineering. We scout your location and observe the corporate culture. We cleverly change disguises and identities, gain access by tailgaiting or lock picking, and distribute infected USB sticks. As IT employees, we distribute new keyboards with keyloggers or directly ask for the password - always with a plausible reason, of course. Since our social engineers are also good hackers, we use the information gained on site to abuse your IT, issue our own access authorizations or register additional visitors.

Over the past 20 years, we've stolen prototypes via social engineering, penetrated sealed-off research areas, planted bugs in the CEO's office, or smuggled dummy bombs into high-security data centers. All on behalf of customers, always on the good side of the force.

Benefits of social engineering assessments

Top Management Sensibilisierung
Top management awareness
The results of a social engineering assessment are very well suited to sensitize top management to the topic of security, because the risks are very tangible and generate a high level of personal concern. If your CEO sees his or her own target agreement in the management presentation, security becomes a top priority. That's a promise!
Physische Sicherheit
Measuring your physical security
You get a very realistic impression of whether your physical security measures are effective and how your employees react to manipulation attempts. We use a combination of hacking and social engineering to uncover flaws in access processes that were thought to be secure and provide many recommendations for optimization.
Konvergenz Corporate Und It Security
Convergence of disciplines
Social engineering assessments very often create a change of perspective, away from IT security in one corner and physical security in the other, toward an interlocked, holistic approach to information security, today also called cyber security. This often results in a constructive networking of these two important security disciplines.

Procedure and background information

Success factors

Crucial to a successful assessment is good preparation. One small mistake and the situation can get out of control or we fly off the handle and have to quit. Then we would have invested a lot of time and effort for little gain in knowledge.

That is why we prepare the assessment thoroughly together with you:

  • We define goals that are simultaneously challenging, but also realistic and that generate concern. This increases the acceptance of the measures derived.
  • The circle of those informed must be well considered; the situation must not escalate, nor must there be too many insiders.
  • Clearly defined rules and boundaries are also important. You remain in control throughout the assessment and are informed of our steps at all times. You can define 'no gos' and stop individual actions.
  • We respect ethical principles: Attacks on interpersonal levels are an absolute no-no for us, as is personal exposure of individual participants.
The phases of social engineering

Preparation

  • Meeting to agree on the scope
  • Kick-off meeting

Execution

  • Workshop to define objectives and rules of the game
  • Information research (HUMINT, OSINT, on-site inspection)
  • Attack planning and preparation
  • Execution of the attack with physical attacks and social engineering and hacking (if necessary)
  • Regular status meetings

Evaluation

  • Clear documentation of the attack path
  • Replay workshop with the project team
  • Management presentation
Social engineering
  • Spear-Phishing
  • Voice Phishing Calls (Vishing)
  • Fake identity cards
  • Disguises
  • Infiltration of employees (via job applications)
  • Tailgating
  • ...

 

Physical tools
  • Lock Picking
  • Keylogger
  • Bugs
  • Dropbox with mobile internet (remote access/exfiltration)
  • Screen Grabber
  • prepared USB Sticks
  • ...

Do you want to know how well you are equipped against a "visit" by us?

Let's get to know each other in a web meeting and talk about your objectives.
Yes, I'm interested