Open Mobile Menu

Penetration Testing

Social Engineering Assessment

“Layer 8” is often the weakest link, even for companies that have an otherwise robust security posture.  People tend to be trusting and helpful by nature and can often be manipulated into providing access or giving away sensitive information.  AppSec Consulting recommends including social engineering as part of any significant penetration test.

The AppSec Consulting Difference

  • Our security professionals are better trained and keep up-to-date on the latest social engineering techniques by attending and participating in conferences such as Black Hat, Defcon, and B-Sides.
  • We carefully design and prepare our social engineering campaigns in order to maximize our success rate while minimizing disruption to your organization.  In many cases the employees won’t know about our social engineering campaign until it’s over and the results are presented.
  • Our reporting differentiates us from the competition - you'll receive an actionable custom-written report containing expert advice tailored to your business.

Our Approach

During a social engineering engagement, AppSec Consulting’s engagement team may carry out the following activities during the course of an assessment.  Assessments can include all of the items below or a subset as agreed-upon during engagement planning.

  1. Using publicly available methods to research potential weak points within the social structure of the target, such as:
    • Analyzing public information in Facebook accounts, Twitter streams, LinkedIn profiles, and other social media outlets for information about company resources, or data that can be leveraged in a potential attack.
    • Analyzing public information about the company by performing searches of public records, job openings, and content hosted on the company’s website(s).
    • Physical data gathering, such as dumpster diving.
  2. Designing and implementing social attacks that utilize public communication methods, such as attempting to solicit responses using email phishing attacks.
  3. Calling publically available phone resources and attempting to engage in conversation that divulges sensitive information pertaining to the protection of target assets.
  4. Designing and implementing attacks that use USB sticks and/or CDs with custom payloads that are dropped at strategic locations in or around the target’s buildings.
  5. Using other deceptive techniques to extract account credentials to access controlled systems and/or environments.

What You Get

  1. An actionable, custom-written Penetration Testing Report or Social Engineering Assessment Report, which describes the social engineering attacks performed, summarizes the results, and provides custom remediation advice tailored to your business needs.
  2. Expert consultation throughout the remediation phase and assistance with implementing certain remediation advice, such as employee security awareness training.