Social Engineering (SE) is a standalone type of penetration test that specifically assesses only the ‘human’ element within your organization – your people – who are often the most forceful source of information regarding your organization.
The test will show whether your employees adhere to the company’s security standards. You will check whether your people use good practices related to processing confidential corporate information and if they recognize the most popular modes of cybercriminals’ action. Based on the results, you will be able to move forward in building a better-educated team that is aware of threats and resistant to external attacks and the risk of related financial losses.
What we offer
UnionFlame offers core social engineering services to test human susceptibility to persuasion and manipulation:
- Email Phishing – a method that occurs via email and attempts to trick the user into giving up sensitive information or opening a malicious file that can infect their machine.
- Telephone Vishing – a method that is similar to phishing but occurs via phone calls when a person on the other end of the phone attempts to trick the user into giving up sensitive information.
- Onsite In-Person Social Engineering – UnionFlame engages staff directly or indirectly trying to identify weaknesses in the way they physically handle visitors and those pretending to be employees, vendors, or business partners. Our people claiming to be relevant actors for the company try to entice staff into divulging sensitive information or permitting access to restricted areas of the facility.
How we do it
Social Engineering tests aim to manipulate your people to obtain confidential corporate information by applying the same methods and tools used by cybercriminals. We perform SE tests from a black-box perspective to add the reality factor.
Our approach:
- Information gathering: we collect information on your organization and employees
- Attack vector identification: we select ‘victims’ that could provide us with your confidential information and plan the ways to attack
- Penetration attempts: we execute all listed attack vectors and try to manipulate your people through targeted emails, phone calls, and other means
- Escalation and access: we use any obtained information to gain extended access to your IT infrastructure
- Reporting: we address all of the vulnerabilities found during the test and provide remediation options available for each vulnerability found
What you get
Upon completing the test, we provide you with a comprehensive report detailing the information discovered in the time allowed for testing. You will be presented with publicly available information about your employees and company and informed about the actions and/or responses received during the simulated attacks. As a result, you will see the possible vulnerabilities in employee adherence to company policies. Both findings and mitigation recommendations will be confidentially debriefed to your executive staff and security team to correct existing issues and prepare against future attacks.