Phishing test - what deficiencies can reveal in the security of your company?
- November 3, 2020
Social engineering is a technique using manipulation in order to gain sensitive information or to make users perform a specific action.
Social engineering attacks were successful even against companies like Twitter or Microsoft. In July of 2020, attackers used social engineering to manipulate Twitter employees and gain access to popular user accounts on the platform. While in 2019, hackers gained credentials of Microsoft‘ support employees and used them to access account data.
The most common form of social engineering is phishing. Phishing is an attempt to gain sensitive information, such as credit card numbers or login credentials. Attackers are trying to mimic legitimate login or payment portals from companies such as Google, Microsoft, or Apple by creating an identical copy.
There are many anti-phishing technologies. Virtually all modern browsers feature an anti-phishing filter, while e-mail clients try to block phishing with anti-spam filters utilizing advanced machine learning. Commercial security solutions also feature various protections against phishing.
But even the most advanced security solutions fail to block all phishing websites and fraudulent e-mails, making phishing a growing threat. Phishing e-mails and websites are the sources of most breaches in enterprise environment.
The only truly effective protection against phishing is education. It is important to teach employees how to recognize malicious websites and other forms of social engineering. Interactive quizzes with real-world examples of social engineering are the best way of teaching employees about phishing.
Social engineering is also used in malware. Attackers must convince users not only to download a malicious file, but also disable various protections inside operating systems and Microsoft Office. A typical example are documents containing malicious macros. Execution of macros is blocked by default and users have to allow it manually for each document. Attackers are imitating the user interface of real security prompts to persuade users into running the malicious contents.
The great way of evaluating the phishing resilience of your company is conducting a phishing test. However, executing it properly is not easy. It requires both technical knowledge and the ability to psychologically manipulate users.
Testing your company against social engineering can not only identify security shortcomings in accounts and personnel, but also in internal communications and handling of security incidents.
The online workshop Penetration testing with social engineering will focus on using social engineering during penetration testing and red teaming. Apart from penetration test, the gained knowledge can be used for improving security procedures, policies and educating employees.