- Home
- Company
-
Solutions
-
Industry Solutions
-
Compliance Solutions
-
Technology Solutions
-
- Services
-
MSS & SaaS
-
MSS
-
Software as a Service
-
-
Partners
-
Security Service Partners
-
Security Solutions Partners
-
- Contact Us
About NopSec
Competencies and Skills
Locations
Careers
NopSec Blog
News
Security Assessments
Vulnerability Research
Emergency Response
Request a Proposal
Security Assessments Social Engineering
Social Engineering
Used by hackers for years, the term "social engineering" describes the use of persuasion and/or deception to gain access to restricted information systems. These illicit techniques are typically implemented through conversations or other human interactions. The medium of choice is usually the telephone, but social engineering can also take place via email messages, television commercials, or countless other mediums. (As an example, a floppy drive or CD containing malicious code might be labeled "Payroll" and left in a hallway or restroom within an organization. What are the chances that someone might insert this media into their computer and access the contents? At NopSec, we perform the type of social engineering most appropriate for your organization.
Our social engineering methodology mirrors our approach to security assessments. We begin with target identification and information gathering, followed by exploitation attempts. We systematically apply these principles in a customized approach based on the objectives of your particular situation. We’ll work closely with your team to define relevant testing scenarios tailored to your organization’s policies and processes. For example, if you have incident response procedures in place to report suspicious phone calls, we can test these procedures by making obvious attempts at gaining confidential information without proper authorization. This is an excellent way to gauge the effectiveness of an existing security awareness training program, or to lay the foundation for creating a new program.
Common attack vectors we have identified include:
-
Phone calls to individuals within the organization. This will normally include the help desk and specific individuals identified as critical company personnel.
-
Carefully crafted phishing emails that attempt to coax information from targeted groups or individuals.
-
A floppy drive, CD, or other media with an enticing label, such as "Payroll" or "Quarter-end Preliminary Results", that is left in a public area. The media will contain malicious code.
Regardless of what type of social engineering testing is used, we will provide you with a detailed report of each attempt and its results.