Social engineering (also known as psychotechnics) is a method that exploits the vulnerability of people and their organizations. A typical sociotechnical attack consists in manipulating an attacker’s identity in order to induce an attacker to perform (or abandon) certain actions.
The simplest sociotechnical attacks are the mass mailing of mail to random recipients. The infected mail can encrypt the victim’s files and their decryption will only be possible after paying the ransom.
Advanced sociotechnical activities are usually targeted at a specific organization or selected people. An attacker acquires information about the company’s functioning, processes and dependencies.
Tests using the social engineering
The ESKOM test activities can be run on two levels:
1. A general verification of the organization’s susceptibility to sociotechnical activities.
2. Preparation and implementation of specific test scenarios.
The study consists of analysing publicly available sources of information about the organization (press releases, social networking sites, etc.). Then the potential attack risk is developed. The developed methods are then implemented. The purpose is to obtain confidential information.
This kind of testing assumes gaining some knowledge from the inside of the organization (e.g., the name and specificity of the application used to counterfeit it, learning business processes, identifying and exploiting weak points, etc.).
The material collected during the tests is developed and delivered by the ESKOM specialists to the contractor. It provides information on the sources for the preparation of the tests, the scenarios, and the achieved results. In addition, to improve process safety and system users’ knowledge there are made recommendations.
Purpose of the tests
In case of sociotechnical tests the study is subject to the organization and the people who create it. Practice shows that generally the problem is not faulty processes, but the behavior of the people who implement them.
The aim of the sociotechnical testing will be to improve the quality and awareness of the members of the organization. Therefore, the training conducted after the tests have a great value and authentic educational value.
Estimation of costs
Performing activities taking into account the presentation of the results, is the process of reviewing the organization’s overall compliance with social engineering for around five to six working days.
During the implementation of dedicated, specific test scenarios, the basic labour intensity should be estimated at around three working days. In addition, approximately three working days should be added to each test scenario. An example of a scenario may be to prepare a forged web application login page and prepare a correspondence that encourages users to visit it.
The preparation and presentation of the summary should be estimated at approximately one to two working days. Training is an additional three business days for a single group (training lasts about two to three hours). Additional groups should be valued per adequate number of hours.
Schedule of activities
Initial arrangements with the client are about a week. The preparation and conduct of the activities under one test scenario should be estimated at approximately two weeks. Another one week later.
Summary and discussion of results usually takes about a week.
Preparation and training – from one to two weeks.
- Network security and web application scanning
- GDPR Audit
- User rights management
- Identity and system access management
- Antispam in the cloud - Antispam-as-a-Service
- Action Plan development and implementation in Critical Situations
- Implementation of Information Safety Policy
- Information Safety Management