Skip to main content
Pentesting

Aftermath of a Social Engineering Engagement

By April 30, 2021No Comments

Aftermath of a Social Engineering EngagementYou have heard all the stories. Social engineers (SEs) being held at gunpoint, nearly driving off cliffs, jumping into garbage chutes, or walking through front doors. (If you haven’t heard these stories, I highly recommend you read Chris Hadnagy’s newest book.) You’ve heard of SEs bypassing security in both the most exciting and the most simple ways. But what happens after the social engineering engagement? What is done about the vulnerabilities discovered? What happens if that vulnerability was a person? For the purpose of enlightening our readers, here is a peek into the aftermath of a social engineering engagement.

Limited View

Before completely diving into this topic, it is important to understand that, as the professionals hired to do these jobs, we only have a limited view of what really happens after our job is done. What we can speak on is what we encourage our clients to do and our viewpoint of these “best practices.”

Straightforward Fixes

Many answers to vulnerabilities are straightforward. For example, in the case of the garbage chute, the facility now (hopefully) locks the doors behind their garbage cans. Of course, this may only be a slight speed bump to an SE that carries and knows how to use a lock picking kit. Either way, physical security improvements can bolster the security of a building in ways that will discourage many malicious parties from even attempting to act. Indeed, many vulnerabilities fall into this category.

As you may know, SEs look to human vulnerabilities in order to bypass what they cannot with a lock picking set or other tools. This brings up a two-part question; how can companies strengthen their human wall of security? And what happens to the employees who fall for these SE tactics?

Training

Let’s start by looking into the first part of that question. How can companies strengthen their human wall of security? The best practice we have found to be effective is, simply, training. Proper training, when combined with reporting protocols and a corporate culture that encourages learning on all levels, is going to be the best defense for your company.

What Happens to the Employees Who Fall for These SE Tactics?

This brings us to the second part of our question; what happens to the employees who fall for these SE tactics? Here at Social-Engineer, LLC, we strongly encourage our clients not to punish their employees for failing a training test. Why? The purpose of training is for an employee to learn. Part of any learning experience generally involves failing (or falling short) in some aspect or another, and then improving bit by bit. If everyone were perfect at everything, there would be no room for learning or training. This holds true for social engineering engagements, whether that be phishing, vishing, or onsite engagements.

Let’s take this to an extreme and say there was a company that decided to fire every employee that failed a phishing test. What would happen to that company? Likely, they would lose a huge percentage of their work force and instill a culture of fear within their company. Additionally, now they need to replace that removed workforce with brand new humans that are just as or more vulnerable than the last batch. We strongly believe that fear like this should not be used to motivate or train. It isn’t effective or healthy. For this reason, we have conversations with all our clients about this situation to show it is better to train and retest, than to terminate and re-hire.

It is absolutely possible to train employees to be more secure without using negative tactics. It is even possible to leave them feeling better for having met you during these engagements.

Employee Vulnerabilities – Opportunities to Teach

Failing a training is generally not a negative in our view. If the hypothetical company above decides to train, rather than fire, the employees who fail these tests, what would happen to that company? It will increase the employees’ awareness of social engineering tactics and only aid them in being more secure and alert to these attacks in the future. This is the outcome we work with our clients to reach.

When the Risk is Too High

Not everything is always so black and white. Occasionally there will be engagements when an employee’s actions put themselves, others, and the company itself at a very high risk. To illustrate, imagine Social Engineer, LLC is hired to break into a client facility during night hours. Upon gaining entry to the building, the SEs find there is a security guard who is sleeping at their desk. This allows the SEs free access to this facility which contains the Network Operations Center.

Step out of the SE’s perspective for a moment. What if this scenario were real, and happening with real, malicious attackers? What would happen to that security guard? At the very worst, physical harm may come to them. At the very least, they would likely lose their job. In this scenario, the sleeping guard is putting the company and themselves at a very high risk of both possible compromise and possible physical harm, and some significant action must be taken. When it comes down to it, it is up to the client how to handle these rare, but serious, incidents.

Leaving People Feeling Better for Having Met You

Our overall goal is to train the client’s employees how to handle social engineering attacks safely and securely. By working with clients through our phishing, vishing, onsite engagements, network penetration testing, and other trainings, we have seen our clients’ social engineering risk factor drop significantly.

As a company, we strongly believe and teach that this can be done while leaving people feeling better for having met you. Sticking to our Social Engineering Code of Ethics and using tactics such as validation and rapport building, rather than intense fear or greed, ensures that the training they get is both beneficial and, hopefully, leaves them feeling better for having met us. If you would like to speak to one of our experts about partnering with us, please contact us here.

Sources
https://www.social-engineer.com/my-first-pen-testing-onsite-social-engineering-engagement/
https://www.social-engineer.com/services/
https://www.social-engineer.com/
https://www.social-engineer.com/services/phishing-as-a-service-phaas/
https://www.social-engineer.com/services/vishing-service/
https://www.social-engineer.com/services/social-engineering-teaming-service/
https://www.social-engineer.com/is-it-legit-to-use-fear-as-part-of-my-pretext/
https://www.social-engineer.com/it-is-important-to-have-ethics-in-social-engineering/
https://www.social-engineer.com/services/network-penetration-test/
https://www.social-engineer.com/services/social-engineering-risk-assessment/
https://www.social-engineer.org/framework/general-discussion/social-engineering-code-of-ethics/
https://www.psychologytoday.com/us/blog/webs-influence/201309/trust-persuasion-and-manipulation
https://www.social-engineer.com/contact/

Image
https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.inc.com%2Fdamon-brown%2Fneed-a-business-breakthrough-take-a-walk-now.html&psig=AOvVaw1ch-n2U1HQ2GSe_n8lge3Y&ust=1617124240400000&source-images&cd=vfe&ved=0CAIQjRxqFwoTCNj3psD-1e8CFQAAAAAdAAAAABAV

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now