Social Engineering involves psychologically manipulating people into performing
actions or divulging confidential information, such as their password, and as a result
bypassing normal security procedure.
The attacker uses public information from company websites, social media sites, social skills, and human interaction to obtain information about an organization, its computer systems and other information in order to gain access to the network.
The engagement team utilizes a variety of techniques, including email and phone-based deception techniques, to acquire account information that can provide unauthorized access to PHI.
The deception techniques try and convince your employees to divulge confidential access information such as user name and password.
In addition, the engagement team attempts to reset passwords by contacting the Help Desk and impersonating an employee.
Does the Help Desk representative validate the caller’s identity by confirming the employee’s full name, employee ID number, and the location where the employee works?
For a terminated employee, is it possible to re-establish network access through deceptive means?
Does the Help Desk refer callers to the password reset policy to explain why a password reset is not permitted without proper validation of the user’s identity?
Are employees aware of password policies that prohibit the sharing of passwords?
The engagement team can also test the effectiveness of policies and procedures. For example, do employees know who to contact if they experience a security incident or witness suspicious behavior?
Conducting social engineering and phishing exercises helps to reduce the risk and exposure to some of these attacks and helps to determine the effectiveness of the security training and awareness program. Social engineering exercises also help an organization test the effectiveness of their policies and procedures.
WHAT SETS MEDITOLOGY APART
#1 Ranked Best in KLAS for Cybersecurity Advisory Services for 2019