Rapid7 Security Consulting Services

Social Engineering

As our society becomes more dependent on information, the value of that information increases, not only to the businesses who own it, but to the criminals who wish to gain profit from stealing it. It is believed by many security experts that social engineering will remain the greatest threat to any security system.

Social engineering is a term that describes the non-technical intrusion into your business environment that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional "con games" where one person is duped because they are naturally trusting, social engineers will use any technique to gain unauthorized information. Social engineering techniques include everything from phone calls with urgent requests to people with administrative privileges to viruses lurking behind email messages that attempt to lure the user into opening the attachments.

The results of a recent searchSecurity news poll indicates that:

  • 34% of the respondents fear manipulative email attachments;
  • 33% worry about weak passwords;
  • 23% dread phone scams;
  • 10% are concerned about dumpster diving;

Rapid7 offers security consulting to help your organization identify social engineering weaknesses and then train your people to help them become more security aware. The following are the types of social engineering testing we can provide:

External Social Engineering

  • Passive Internet Reconnaissance - Using publicly available sources, such as websites, search engines, and DNS records, Rapid7 will gather all relevant information such as employee names, titles, phone numbers, and email addresses about the company and employees available on the Internet. This information will be useful when conducting more active social engineering testing.
  • External Social Engineering - Rapid7 will perform Social Engineering phone calls to individuals within the organization. Targets will included individuals from the help desk, IT department, human resources, finance, and other departments within the organization. The objective of these calls will be to include the users to divulge sensitive information over the phone in violation of company policy.
  • Targeted Email “Phishing” Attacks - Emails will be sent to individuals and groups within the organization in order to attempt to entice the user to click on an external link that will either attempt to gather sensitive information or deliver a malicious payload onto their desktop system which could include browser and operating system buffer overflows, trojan horses and keystroke loggers.

Internal Social Engineering and Physical Security Assessment

  • Malicious Portable Media - USB Flash drives and CD-ROMs with enticing labels such as “Payroll” will be left in public areas such as hallways, restrooms, and break rooms. The media will contain simulated malicious code that will attempt to grab sensitive host information such as the network configuration, list of running processes, and a password hash dump. This information will be posted back via HTTPS to a Rapid7 controlled server.
  • Sensitive Document Disposal Audit – “Dumpster Diving” - Rapid7 will search internal trash receptacles and external dumpster and disposal areas for sensitive documents and flash, magnetic or optical media that is disposed of in violation of company policy.
  • Physical Security Assessment - High level assessment of physical security controls including:
    • Building Access Control
    • Access Controls Around IT Assets
    • LAN Jack Access Controls

Contact us to find out how Rapid7 can help you develop security best practices for your enterprise network.