With the recent increase in attacks, network security has become a talking point and focus for most security teams. The threats organisations are facing are evolving at an ever increasing pace, threat actors are better equipped and more knowledgeable than ever and, unfortunately, we are seeing non-negligible increases in the amount of organisations being breached. To ensure their networks remain resilient, organisations who have historically shied away from pen testing, vulnerability scanning and social engineering will have to incorporate it into their information security strategies.
Security audits should form part of any information security strategy whereby penetration testing, vulnerability assessments and social engineering are all regularly scheduled activities. Combined they give a good overview of general susceptibility from different methods of attack however it should be noted specialist testing may be required if your organisation houses specialist equipment such as mainframes, or operates especially stringent policies procedures such as a data centre.
Often overlooked of the three is social engineering which has declined in popularity in recent years, however should still be considered an important part of any information security strategy. A social engineering test should be conducted in such a way that it will address the non technical side of information security such as user awareness. It is debatable whether this testing should include purely technical controls (such as access control systems) however it is my personal belief these should form part of the technical testing and not of the social engineering. I also believe the declining popularity of this type of testing is in part due to service providers not being adequately prepared to conduct it.
While our main business is technical testing, we maintain a roster of specialist contractors with skill sets which are much more suited to conducting these tests. Most of our social engineering team have backgrounds either in the police or other government services where they have developed and honed their skills for many years, focusing almost exclusively on social engineering and its related subjects.
Methodologies are scattered when it comes to this type of testing however there are a few which are notable such as OSSTM which discusses at a high level what needs to be covered. Unfortunately there are none which are widely adopted and most testing outfits develop their own. We do have a tried and tested methodology which is available to customers on request, normally we will sit down and fine tune it before any social engineering engagement.