Social engineering is an attacker’s manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow them to gain unauthorized access to a valued system and the information that resides on that system or within that organization. Since security is all about trust, we at Foreground Security believe the user is the weakest link in the security chain, the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack. No matter how much technology is bought and deployed, you only reduce the threat so much... and then it’s up to your users.

At Foreground Security a comprehensive Human/ Social Engineering Assessment is based on current “real world” scenarios. All assessments are accomplished in a way that there is no actual infringement or damage on your network, computers, or users and include no permanent installation of damaging programs and no affect to the user’s computer or environment.

We customize our “attacks” by providing our client a list of potential test scenarios that cover the current threat vectors and allow them to choose final test scenarios from the ever changing list which currently includes but is not limited to the following scenarios:

■ USB – A USB attack scenario in which auto-run USB drives containing a simulated malicious program runs as soon as the drive is plugged into a user’s computer. Drives shall be delivered via mail and physical placed in strategic locations. In the test scenario the program shall not install anything permanent or malicious and shall only connect to a listening server on the internet and collect an IP address as evidence of a successful test.

■ Email – A uniquely crafted email shall be sent to a set of users that attempts to gather information or install a malicious program by having them click on a link to a “fake” web page (such as a fake Outlook Web Access page) or open a malicious program. No malicious program shall actually be installed and only statistical information shall be collected on any web page.

■ Phone – A standard social engineering attack shall be executed against an agreed upon set of users via a phone attack utilizing phone spoofing and social engineering methods.

■ Malicious Web Page – A user is tricked into going to a fake web page where a “malicious” program is installed or user information requested.

■ Physical Access – Attackers gain physical access to the client site based on a general set of rules (such as the user being a contractor or guest) and attempts to gain access to secure areas, obtain important information from office locations/users, or other areas.

■ Social Networking – Test to simulate one of the most common attacks today utilizing social networking sites (such as Facebook, LinkedIn, or Twitter) where information or access is obtained through an attack using those technologies.

Which ever type of social engineering testing is agreed upon, when we complete the testing as with all of our assessments we will provide you with a complete, detailed report regarding the policies that were tested, and the results of each attempt. At Foreground Security we believe in the importance of follow up and validation, ask us how we have successfully benchmarked our clients’ security awareness program through a Human/ Social Engineering Assessment.