Expose Vulnerabilities

Stop Social Engineering Dangers

How do you stop social engineering that creates easy-access to your data, like phishing, baiting, water-holing, or tailgating from happening within your organization?

By hiring NTP to expose your internal vulnerabilities with ethical social engineering attempts on your own people. This form of prevention reveals hacking dangers and provides opportunities for better security, risk-remediation, and security awareness.

Only about 3% of malware tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme.

7 Common Types of Social Engineering

Don't Be Decieved by Hackers

Social Engineering within a company or organization occurs when someone in your company is manipulated, influenced, or deceived by hackers to gain control over their computer system.

Hackers commonly use the phone, mobile devices, email, websites, or direct contact to gain illegal access. Social Engineering differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.

NTP performs the following exercises to promote general security awareness and “end user” security training. These attempts gather confidential information that would allow an unknown actor to commit fraud or gain unauthorized access to a system or facility.

Pretexting

Either by phone or email, an invented scenario is used to increase the chance that a potential victim will bite. Our social engineer will impersonate a person of authority and use real knowledge like date of birth, social security number, or a password in an attempt to get even more information.

In one scenario, our team makes random calls to the target company’s employees as a “service provider” or help desk technician to offer help/support for an issue that would require system access.

Email Phishing

We conduct a target email phishing campaign simulating a real-world attack. Our email campaigns are crafted with steganography and are designed to convince a user to respond, click a link, or download malicious payload. In this exercise, we leverage an automated email delivery system that keeps statistics on all aspects of the effort.

Spear Phishing

This email attack is smaller and more targeted, focusing on a particular person or organization to get their sensitive data. A spear phishing attack requires research on the target and has a specific personalized component designed to make the target do something against their own interest. Again, the open rate and CTR is tracked and addressed with the target.

Water-Holing

For this form of hacking, we gather information about a targeted group of individuals to find out what websites they are regularly visiting, then test those websites for vulnerabilities. Over time, individuals in the targeted group will get infected, and we gain access to the secure system.

Baiting

For baiting, we leave a USB flash drive laying around and label it something interesting, like “Promotions Approved,” and see who opens it (or who turns it in). Once the device is used, a malicious file is downloaded, and the victim’s computer is infected, allowing us to take over the network.

Quid Pro Quo

This form of deception provides a benefit to the victim in exchange for their information. Often, we’ll impersonate IT support and call everyone working to say we have a problem with a quick fix and ask them to disable something that happens to be a key security component. Those who fall for it get malware/ ransomware installed on their machine.

Tailgating/Human Compliance

This method is used to gain access to a building or other protected area, bypassing security to gather confidential or proprietary data. We commonly pose as a vendor, service provider, or in some other official capacity.

Here are a couple of examples of how we have used and continue to use this type of exercise:

  • NTP was successful in gaining access to a company computer and took a full image of the hard drive.
  • An NTP specialist posed as a repair person and was escorted by a company's employee and introduced to another employee for the purpose of troubleshooting a printing problem. We had full network access, as well as remote access to the network printer.
  • We gained access to a secure facility by mingling with the cleaning crew after hours. NTP gained access to a secure data center where we were assisted by company employees to take photos of labeled assets.

Reporting & Solutions

Security Awareness Training

Once NTP is hired to implement ethical social engineering in your business, and we recommend doing so on a regular basis, you will be armed with information and reports that can be used to save your valuable data, meet compliance and regulatory requirements, and stop cybercrime before it happens.

To keep your data and facility secure and compliant:

  • Proper security awareness training is critical! This is the first line of defense when it comes to keeping your company’s data safe.
  • Hold regular training and awareness sessions.
  • Send reminders and educate employees on the latest schemes.
  • Give them tools to stop social engineering attempts and empower them to make the right choices.
  • Implement back-end security tools that stop access to social media, shopping sites, and risk-related online activities on company-owned computers.

90% of hacks and data breaches are from phishing and emails that encourage recipients to click a link, open a document, or forward information to the hacker. Training is the only solution.

Know Your Risk

Increase Security

Our thorough data and security breach report will help you assess how effective your security awareness training is, how strong your physical security is, and what steps need to be taken to improve vulnerabilities.

NTP is here to empower you and your employees to make the right choices and provide cyber intelligence, security awareness training, and security tools and systems that mitigate your cyber crime risk. Contact us today.