Social Engineering Prevention & Security Awareness Training

Despite technical controls, hackers continue to gain unauthorized network access through social engineering.

Social Engineering Prevention

The social engineering attacks attempt to trick employees into disclosing sensitive information such as login credentials or bank account numbers. Low-tech methods are used to exploit your people, rather than your technology. This may be perpetrated through a spoofed email or telephone call, or could even occur on-site as the attacker drops USB pen drives on your facilities’ front door step. Regardless of the method, social engineering can be used to gain unfettered access into the most secure IT environments.

• Phishing

  – Email phishing is the most common social engineering tactic in use today. The employees being targeted receive an email purportedly from their employer. They are requested to open an email attachment or click a link to a form which appears to be on the company website. These are the current tactics hackers are using to install malware on your network and enumerate information from your people.

• Pretext Phone Calls

  – Pretext calling attempts to enumerate sensitive information from staff members by using scenarios which gain the trust of the employees being targeted. Phone calls are placed and a ruse is presented to trick the employee into disclosing login credentials, account numbers, or any other protected data. The scenarios range from a call by the IT or HR Department requesting confidential information, to a call from a customer needing help with their account.

• Physical Security Assessments

  – Assessing your facility from a social engineering perspective can reveal holes in the information security posture and overall awareness level of employees. The engagement occurs on-site at your location, where the Security Pursuit assessor poses as a contractor or other suitable role to avoid detection. We check the effectiveness of door locking controls and attempt to tailgate in behind authorized employees, drop USB keychain drives in entryways to lure staff into clicking an executable payload, check for unauthenticated network access from conference rooms and other shared or vacant areas, and use other techniques as appropriate for the environment.

Our social engineering prevention campaigns serve to measure the overall security awareness within the organization. It provides upper management with a true read on how well they have done educating their employees. Followed up with an on-site security awareness training seminar, this is an excellent way to educate staff and encourage vigilance in the workplace.

Security Awareness Training

Security awareness training for employees is your first line of defense to protect against loss of business-critical information by social engineering attacks. Even with the best technical security controls in place, hackers continue to gain unauthorized access into networks and websites through social engineering. Social engineering prevention begins with training staff to identify the telltale signs of a social engineering attack. Security awareness training should be a core component of your overall information security strategy. Let Security Pursuit share our experiences from the front lines to educate your employees about the prevention of social engineering attacks against your organization.