social-engineering-strength-security

What is Social Engineering?

Social engineering is an extremely effective technique used by hackers worldwide to compromise internal systems and proprietary information assets. In fact, it’s one of the top two techniques used by criminals to compromise organizations like yours. 

Essentially, malicious “social engineers” use manipulation, deception and influence to persuade an employee or contractor to unwittingly disclose secure information or persuade someone to perform an action which grants unauthorized access to an organization’s information systems. 

In person, over the phone and online, malicious imposters are the undisputed biggest threat to the security of your organization.

social-engineering-strength-security

Why Social Engineering Testing Matters

As the world’s leading authority on the topic, Kevin Mitnick created the security industry’s standard for social engineering testing. In his groundbreaking and bestselling work, The Art of Deception: Controlling the Human Element of Security, Kevin explains that the easiest way to penetrate high-tech systems is through the people who manage, operate, and use them.

Because humans will always be the weak link in your security and no technology can change that– experience can. 

Mitnick Security uses a blend of information reconnaissance and technology with personally mentored social engineers to provide unparalleled social engineering penetration testing through all attack vectors, including phone (vishing), email (phishing) and on site infiltration.

Not only does our team carefully determine the best targets for our social engineering techniques through the use of open source intelligence (OSINT), our pentesters create custom payloads to bypass your antivirus/ EDR defenses. This planning and preparation gives you the most realistic outcomes for the most clear view of where your security needs improvement. 

Following testing, your detailed report will explain which personnel were tested, the details of each attempt and recommendations for improving security within the organization based on these results.

KnowBe4-KMSAT-KevinMitnick
KnowBe4-KMSAT-KevinMitnick

Social Engineering Training for Your Entire Enterprise

Beyond our boots-on-the-ground testing, these same social engineering insights are available for enterprise-wide computer-based training (CBT) through Kevin’s world-renowned training program available on the KnowBe4 platform. Kevin Mitnick Security Awareness Training (KMSAT) was designed to be a powerful, easy-to-use and comprehensive solution available for busy professionals.

Explore KMSAT Social Engineering Training for:

  • Complying with regulations that mandate security training
  • Establishing clear behavioral guidelines and security policies
  • Improving employee knowledge of security risks
  • Motivating desired security behaviors
  • On-demand, interactive training in 26 languages, plus even more translated content
  • One to two-minute interactive video lessons
  • Episode-based, Netflix-like shows
  • A range of styles from safe to edgy and fun 
  • Different learning styles, generations and types of employees
  • Optional gamification, with leaderboards and badges, to incentivize and motivate users to take their assigned training

The Mitnick Advantage

Security Experts, Not Interns

Kevin Mitnick is the world’s leading authority on social engineering and an industry pioneer. 

Deeper Testing

Other companies count each link-click as a success. Our team goes further. After exploiting the end user’s device, we access their internal network, escalate privileges to gain administrative access, install simulated malware/ backdoors across the organization and exfiltrate data identified by the client as being the most important. 

100% Guarantee of Success Breaking into Your System

Our meticulous research using Open Source Intelligence (any information that can be gathered by attackers for free on or off the Internet) is why we are able to maintain our perfect success record.

social-engineering-testing-email-phishing

Our Approach and Attack Vectors

  • Phishing emails targeting specific groups or individuals who would attempt to entice information from the recipient, or into performing an action item like opening a malicious attachment or clicking on a link within the email.
  • Phone calls to individuals within the organization posing as the IT helpdesk, a vendor, supplier, customer, fellow employee or even a manager. 
  • Phishing attacks that lure victims to a fake website that appears to be associated with the company being tested, in which employees are asked to log in with their company credentials to access the site. By logging usernames and passwords, Mitnick Security can help determine whether existing security controls and training are really effective.
  • Exploiting a client-side vulnerability in the software that resides on the user’s desktop (e.g. Adobe Reader, Video conferencing browser extension,  customized software update) and gain control of the system by tricking the user into visiting a URL or opening up a malicious attachment.
social-engineering-testing-email-phishing

Our Process

Your social engineering strength test kicks off on a call with Kevin Mitnick himself, our team and your relevant team members. We’ll use this opportunity to thoroughly discuss the engagement rules, what to expect and how to alert you if something is being detected during the testing phase. 

Since our testing goes so far beyond simple baiting for link clicks, we’ll identify your most guarded / sensitive information to target for access and exfiltration. We also use this time to identify any specific targets you want tested or excluded (contractors, CEO, C-Suite staff, interns etc).

Once testing commences, we’ll begin by gathering information on your organization and anyone with access to information systems or sensitive data. Then, our master social engineers develop the ruse, pretext, and situations we’ll use to influence the people being tested. Our superior skill set allows us to develop plausible situations that are realistic, credible, and trustworthy.

If necessary, we work closely with your team to define and customize the test scenarios to test specific policies, procedures, and processes. If your organization has incident response procedures for reporting suspicious phone calls, text/instant messages, or emails, Mitnick Security can test these procedures and the overall effectiveness of your existing security awareness-training programs.

Throughout the testing, we’ll be in constant communication with your team through dedicated communication channels. You’ll also be advised as we begin to wrap up and write your detailed, peer-reviewed report.

Contact Us to Learn More Social Engineering Strength Testing

Your-Social-Engineering-Strength-Testing-Results
Your-Social-Engineering-Strength-Testing-Results

Your Social Engineering Strength Testing Results

Your detailed and easy-to-explain report includes a walkthrough of our simulated cyberattacks, our findings and our expert recommendations to fortify your current policies and train your organization. Then, we’ll help your IT team to implement new (or adjust old) security policies that reflect today’s social engineering threats and the results of our test. 

Mitnick Security recommends recurring social engineering testing as part of your ongoing penetration testing program, to keep your staff in a constant state of alertness.

Social Engineering Terms Explained by the Experts

C2 

A command-and-control or [C&C] server is a machine controlled by an attacker (in this case by our testers) which is used to send commands to systems compromised by malware and to receive stolen data from a target’s network.

Vishing 

Vishing is the phone's version of email phishing and uses automated voice messages to steal confidential information. The term is a combination of "voice" and "phishing."

OSINT  

Open Source Intelligence, referring to any bit of information that can be gathered by attackers for free (that is not blocked by paywalls). This is normally details collected on the Internet (e.g., company and title from LinkedIn, etc.), but, technically, can include offline information.

Spear Phishing

An attack in which threat actors use a deep knowledge of the potential victims to target them. These emails are more convincing and harder to detect than regular phishing emails because the attacker knows exactly who and what they're targeting.

Pretexting

Weaving a false story or situation using as many real facts as possible (to build trust and credibility) to convince the target into a course of action like revealing confidential information or installing malicious software such as ransomware.

Payload

A group of computer instructions that’s secretly installed onto the victim’s computer that gives the adversary covert access to the victim’s computer system.