Social Engineering Assessment - The old saying that you are only as good as your weakest point is

absolutely true- especially when factoring in the "people" aspect of IT security.

Social Engineering Assessment
Regardless of technologies you
implement or physical barriers you
erect, the strength of your controls
comes down to the training, awareness,
diligence and honesty of your company
insiders. Comprehensive security
policies and security awareness training
are fundamental controls within
an effective security program. Testing
these controls is also critical to
validating and improving program
effectiveness. Social Engineering
Framework Interactive Security's Social
Analyze Engineering Framework consists of
three A's: Analyze, Assessment, and,
Assessment Analysis. This framework should be
implemented yearly in order for clients

Analysis to see if they are improving or need to

take further actions.
•Analyze
First, we will Analyze the information which is
deemed to be of value and to be the focus of
the engineering phase. These items are
typically sensitive or proprietary to company
operations.
•Assessment
Second, we will Assess all the information
based on input from the Analyze Phase by
utilizing only free, open source channels. The
collection phase utilizes both automated and
manual discovery processes.
•Analysis
All collected information is manually inspected
in detail for possible disclosure of sensitive
information requested during the Identify
Phase.
Once information is found and analyzed, every finding is documented in a prioritized list. Interactive
Security includes this list along with recommendations in the final report.

Social Engineering Scope Assessment Approaches

Each of Interactive Security's Social Engineering Assessments are broken down into either black box
or white box methods. These style of assessment approaches are designed to give clients two different
options for level of effort.
Black Box In a black box style assessment, the social engineer begins the assessment with no prior
information from the client, in order to see what types of intelligence (OSINT) they can find online. For
these campaigns, the social engineer will gather E-mail addresses, phone numbers and information
about the physical security controls to develop custom attack vectors.

Benefits of black box assessments:

•More realistic - Interactive Security's social engineers see what they can find without guidance of
client
•Best method to simulate outside threats
White Box During white
box assessments the
client provides the targets
they wish to be tested,
such as: phone numbers,
E-mail addresses, and
locations.

Benefits of white box

assessments:
•Client controls what
information and which
employees they want
assessed
•Best method to simulate
insider threats
Intelligence Gathering - Attackers utilize
intelligence gathering tactics against
companies to search for information that
could be found in job postings, employee
social media accounts, or even third-party
associations. Once intelligence is
collected, they leverage it to create social
engineering campaigns. Interactive
Security utilizes the same tactics to gather
intelligence.

Phishing - Phishing has been the starting

point of many data breaches. It is
imperative that companies are
continuously training and testing for this
style of attack. Our Phishing Assessments
test what percentage of client employees
will pass or fail to a phishing campaign.
Verbal Phishing (Phone/Voicemail) - Verbal Phishing is
eliciting sensitive information via the phone. Interactive
Security utilizes multiple approaches to gain information,
such as spoofing phone numbers and impersonation, just
as a malicious actor would.

Physical - A Physical Assessment can validate clients'

physical security controls in place and company policies
or show them areas that need improvement.

Physical security controls, which Interactive Security

will assess:
•Video surveillance
•Security guards
•Locks
Company policies that may be tested:
•No tailgating policies
•Question visitors who are not wearing guest badges
•Dumpster driving
•USB Drops
Interactive Security has a full
suite of social engineering
assessment services that test
all aspects of your human
control areas. Interactive
Security can customize these
testing programs to evaluate
the risk of information
disclosure, using technical
methods like online phishing,
staff impersonation, pretext
calling and physical control
tests such as piggy-backing,
lock testing, and other
physical entry methods.
Interactive Security, Inc.
Headquarters in the Greater Philadelphia Area
Call: 2678242500
Email: sales@intactsec.com
Website: https://intactsec.com/
LinkedIn: https://www.linkedin.com/company/interactive-security/