We talk a lot about phishing, vishing, smishing, and impersonation here at SECOM, and there is a good reason for that. Those are the primary services we provide as a company for our clients. Not all clients use all of our services, and some companies don’t use any of our services for a multitude of reasons. Maybe they use another company to test these attack vectors, maybe they use an internal team, some don’t test them at all. Regardless of your company’s choice, it is important, at a minimum, to have an understanding of and assess your company’s risks when […] Continue Reading >
How To Avoid a RAT Infestation
This is not a discussion on how to prevent or get rid of those large rodents that cause grown adults to scream like little children when they come scurrying across the floor or drop from a ceiling. We are referring to the remote access trojans (RATs) that are infesting computers and networks across the globe. These RATs are a type of malware that let a hacker gain administrative control of your computer. This threat is continuing to rise in popularity with one form, flawedAmmyy, entering the top 10 most prolific malware threats according to Check Point’s Global Threat Index for […] Continue Reading >
In 2019, Test Impersonation Attacks
At SECOM, we perform many forms of social engineering attacks, from phishing to vishing and smishing as well as impersonation. All of these attacks are used regularly by actual attackers and should be tested as part of a robust security assessment in every organization. Small and large businesses alike are vulnerable to these attacks. If you are currently training and testing your employees against phishing and vishing, as you should be, we encourage you, in 2019, to test impersonation attacks as well. What Are Impersonation Attacks The way SECOM describes an impersonation attack is the “practice of pretexting as another […] Continue Reading >
Not All Phishing Programs Are Created Equal
In today’s corporate world, security awareness training should be a common puzzle piece in general user onboarding and on-going staff education. With that training, regular testing should also be part of that puzzle. There are many variations in the types of programs offered at companies, so that means not all phishing programs are created equal. Phishing should be a staple component in any security awareness program, since phishing attacks account for some of the most notable breaches reported, think about Target, the DNC, Anthem, you get the point. According to one report, 76% of organizations say they experienced phishing attacks […] Continue Reading >
Let’s talk about Social Engineering Small Businesses
If you work for, or with, small to mid-sized companies, you may think the risk of social engineering attacks are lower for you. You know all 30-100 people in your office so a stranger would stick out, you’re accustomed to their requests and how they behave. It may be easy to think that you would never get an unknown phishing email from HR or a vishing call from IT. After all, you know Bob from HR and Linda from IT very well. However, don’t let the small size of an organization give you over confidence or a false sense of […] Continue Reading >
Are All Social Engineers Bad?
When you think about what a social engineer does, and how influence and manipulation are used by good and bad SEs, it is easy think that to be an SE you need to have an evil personality or even have sociopathic tendencies. Is that true, are all social engineers bad? At SECOM, we define social engineering as, “any act that influences a person to take an action that may or may not be in their best interest.” Now, according to grammar rules that I know about that statement can be read in two ways: 1) Any act that influences a […] Continue Reading >
Information Risks of Travel
So, you’re on the road for work again, are you? Or, you’re heading out soon? Regardless of when, if you travel for work you should know about the information risks of travel and how it increases the risk of identity theft and, therefore, future social engineering attempts. How does travel affect identity theft? When you pack up to go on a trip, work or personal, you take at least two items that contain sensitive, personally identifiably information: your license, and your ticket or a device that contains your ticket. A malicious actor’s desire to duplicate this information means travel increases the […] Continue Reading >
What is Critical Thinking?
In the field of security awareness and associated training, the term “critical thinking” is thrown about as an effective defense against social engineering attacks. So, what is critical thinking? And how can it be applied in day-to-day activities to make a user or an entire user–base more secure? According to the Foundation for Critical Thinking, a “well cultivated critical thinker” gathers and assesses relevant information and comes to well-reasoned conclusions and solutions. One also thinks open-mindedly within alternative systems of thought, while recognizing and assessing their assumptions, implications, and practical consequences. Let’s break that down a bit. “Gathers and assesses […] Continue Reading >
Protecting Trade Secrets from Physical Intruders
Companies that hold trade secrets, intellectual property, or proprietary research are under attack. The attack is multifaceted and includes both cyber and physical intrusion. As mentioned in the March 2018 Social-Engineer.org Newsletter, cyberespionage has “changed from isolated and individualized attacks to attacks run by distinct groups resembling traditional Mafia organizations.” Additionally, protecting trade secrets from physical intruders must be a priority. Companies are at risk from social engineering attacks that include physical intrusion. Tailgating is one of the most common methods used by intruders to gain unauthorized entry. An intruder may also pose as a contractor, business contact, delivery person, […] Continue Reading >
It Is Important To Have Ethics In Social Engineering
Over the years of being a professional social engineer (SE), I have been asked questions like, “Are you really testing your clients if you don’t use EVERY method possible?” Or, “You are acting like the bad guys, why do you need to have rules?” And even, “I don’t need to leave them feeling better if I am trying to breach, do I?” It is time to discuss these questions, why ethics in social engineering is so important, and crafting a social engineering code of ethics. How can you maintain a code of ethics and promote professionalism? How can you avoid […] Continue Reading >
- « Previous Page
- 1
- 2
- 3
- 4
- …
- 8
- Next Page »
