The Organization requires social engineering activities be conducted at its main Head Quarters building in Jersey City, NJ, and at selected branches. This step is being performed to test and evaluate physical and human security controls at these locations. eDelta will assess the Organization’s Head Quarters location and other locations to be named, prior to the start of the engagement.
An ethical hack will be performed which is based on the ability to gain access to restricted areas of the targeted facilities by performing one or more of the following:
- Attaching a computer to the network and sniff traffic for confidential or sensitive information;
- Attaching a USB drive to a computer and copy any confidential or sensitive information;
- Taking a photograph of confidential or sensitive information; and,
- Obtaining a hardcopy of any confidential or sensitive information.
eDelta will conduct social engineering on specified Organization locations. eDelta will work with the Organization’s Information Technology Security department to define the desired responses from the targets during an attack. eDelta will also work with IT Security to determine if there are any limitations for the social engineering targets.
Once selected, the targets will be recorded on a social engineering target list. Targets are selected with the Rules of Engagement in mind. This ensures that the appropriate controls are maintained during the testing. Social engineering Rules of Engagement may include, but are not limited to the following:
- Reporting does not directly identify targets (i.e. by name, or other characteristic);
- Social engineering is conducted only against non-security personnel (this can be adjusted by Organization’s request); and,
- Only Organization staff can be targets within the scope of the testing, and no customers, partners, associates or other external entities will be targets.
eDelta will require an authorization letter from the Organization providing the appropriate “get out of jail” credentials to the test team in the event they are detainment by security personnel.
After the scope (of locations) has been defined, approved scripts for the social engineering attacks will be generated by eDelta. These scripts will be used to conduct and document the attacks. Upon completion of the scripts, the actual attacks will be conducted. Each attack will be documented on its script form. The results of the attacks will be recorded and analyzed. Upon completion of the analysis, a report will be generated that is an executive overview to describe the state social engineering awareness for the Organization.
To complete the requirements of the social engineering assessment, eDelta will attempt, but not be limited to, the following tasks:
- Phishing Emails – eDelta uses a tool that captures and reports metrics on the recipient’s behavior that does not capture or store sensitive information such as the actual passwords.
- Physical Penetration – eDelta will attempt to gain unauthorized physical access to designated Sun Organization locations.
- Phone Based – eDelta will call designated Call Centers and administrative contacts to collect sensitive or confidential information that will be used to acquire unauthorized account access.
- Key Fob Attacks – Fob attacks are an attempt gain remote access to systems by developing and leaving a malicious USB device in a public corporate space (such as a smoking or break area) to determine if an employee will insert the device in the workstation to view it. The device will call back to eDelta servers notifying us that the device has been activated. An attacker could then compromise the system.
The social engineering report will include the following information:
- Site Identification;
- Scripts and recorded results;
- Risk rating;
- Exploited vulnerability;
- Potential impact; and,
- Risk management recommendation.