How do you stop social engineering that creates easy-access to your data, like phishing, baiting, water-holing, or tailgating from happening within your organization?
By hiring NTP to expose your internal vulnerabilities with ethical social engineering attempts on your own people. This form of prevention reveals hacking dangers and provides opportunities for better security, risk-remediation, and security awareness.
Only about 3% of malware tries to exploit a technical flaw. The other 97% is trying to trick a user through some type of social engineering scheme.
Social Engineering within a company or organization occurs when someone in your company is manipulated, influenced, or deceived by hackers to gain control over their computer system.
Hackers commonly use the phone, mobile devices, email, websites, or direct contact to gain illegal access. Social Engineering differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.
NTP performs the following exercises to promote general security awareness and “end user” security training. These attempts gather confidential information that would allow an unknown actor to commit fraud or gain unauthorized access to a system or facility.
Either by phone or email, an invented scenario is used to increase the chance that a potential victim will bite. Our social engineer will impersonate a person of authority and use real knowledge like date of birth, social security number, or a password in an attempt to get even more information.
In one scenario, our team makes random calls to the target company’s employees as a “service provider” or help desk technician to offer help/support for an issue that would require system access.
We conduct a target email phishing campaign simulating a real-world attack. Our email campaigns are crafted with steganography and are designed to convince a user to respond, click a link, or download malicious payload. In this exercise, we leverage an automated email delivery system that keeps statistics on all aspects of the effort.
This email attack is smaller and more targeted, focusing on a particular person or organization to get their sensitive data. A spear phishing attack requires research on the target and has a specific personalized component designed to make the target do something against their own interest. Again, the open rate and CTR is tracked and addressed with the target.
For this form of hacking, we gather information about a targeted group of individuals to find out what websites they are regularly visiting, then test those websites for vulnerabilities. Over time, individuals in the targeted group will get infected, and we gain access to the secure system.
For baiting, we leave a USB flash drive laying around and label it something interesting, like “Promotions Approved,” and see who opens it (or who turns it in). Once the device is used, a malicious file is downloaded, and the victim’s computer is infected, allowing us to take over the network.
This form of deception provides a benefit to the victim in exchange for their information. Often, we’ll impersonate IT support and call everyone working to say we have a problem with a quick fix and ask them to disable something that happens to be a key security component. Those who fall for it get malware/ ransomware installed on their machine.
This method is used to gain access to a building or other protected area, bypassing security to gather confidential or proprietary data. We commonly pose as a vendor, service provider, or in some other official capacity.
Here are a couple of examples of how we have used and continue to use this type of exercise:
Once NTP is hired to implement ethical social engineering in your business, and we recommend doing so on a regular basis, you will be armed with information and reports that can be used to save your valuable data, meet compliance and regulatory requirements, and stop cybercrime before it happens.
To keep your data and facility secure and compliant:
90% of hacks and data breaches are from phishing and emails that encourage recipients to click a link, open a document, or forward information to the hacker. Training is the only solution.
Our thorough data and security breach report will help you assess how effective your security awareness training is, how strong your physical security is, and what steps need to be taken to improve vulnerabilities.
NTP is here to empower you and your employees to make the right choices and provide cyber intelligence, security awareness training, and security tools and systems that mitigate your cyber crime risk. Contact us today.