We often focus our security efforts on the technology aspect of security. We spend a lot of investments implementing hardware, software, and systems in place to secure our critical assets. Yet, sadly, humans are often the weakest link in a security program. Just as you can never be certain if firewalls and technical controls are effective without conducting External Penetration Testing, you can never know if your own employees and contractors are following procedures unless you test them.Phishing attacks were confirmed as the source of the initial attack vector for the largest security breaches in the past few years. Given any organizational size, statistics prove that there will always be a grouping of users that will click on attachments and links that they shouldn’t, and thus invite botnets, rootkits, and malware into the network right through the firewall. For this reason, we have built our own phishing engine that always us to create a finely customized phishing campaign against any organization using their own corporate images, themes, and domain names. We can track what percentage of users clicked through and provided their credentials to us, and provide metrics back to prove the need for additional security awareness exercises.
In addition to phishing attacks, we can also call into several roles in the company to convince employees and contractors to divulge information over the phone to us. We can also use social engineering techniques to physically enter buildings by attempting tailgating and other tricks to bypass normal physical security procedures. Don’t forget to include Social Engineering and Phishing exercises as optional components in your next Penetration Testing project.