Protect Your Executives From Social Engineering Attacks
Social Media has impacted our lives. Social engineering is a modern attack that can exploit those executives with low security awareness.
Social Engineering is in its infancy stage compared to it's potential as a threat vector. It is a very powerful tool to use especially if someone is motivated to login to a personal email account. For example, consider the security questions you are prompted with when for bank, email, investment account, etc.
Penetration Testing - Personal Email
Our penetration testing team leverages ethical social engineering attempts on a regular basis during these approved engagements. Below are some summary steps of a common example of our pen testing methodology.
1. Go on a company’s website and look for an executive's contact information and work email address.
2. The personal email address can be guessed, tested and validated by using this information to start.
3. Call the receptionist with a well-planned story and a sense of urgency.
4. Ask for information to be sent to the personal account.
5. When logging into the personal account, if you are asked security questions, these can be guessed or found out rather easily if answered truthfully by the executive.
6. If a site sends a one-time text message for a password reset, this phone number can be redirected to a burner phone.
7. Work on some social engineering tactics with the cell phone providers.
8. The portal texts you the password.
Working backwards from this example, using two-factor authentication will prevent the most common hacking and social engineering attacks. It is also becoming standard for most web portals. However, this is not commonly configured by a non-IT executive since it is not the default.
Security awareness training is the best method of improving security against social engineering attacks.
Would you like help with performing Penetration Testing and Security Awareness Training? Let's Talk.
Author: Chad Akileh
Equilibrium IT Solutions, Inc.