The objective of a Social Engineering engagement is to identify weaknesses in the human perimeter of an organization. An organization's security is only as strong as its weakest link - Social Engineering assessments are used to establish that strength. This type of review allows us to gauge an organization's exposure to real-world attack scenarios.
The GDS Social Engineering methodology combines manual and automated research of publicly accessible information sources. This includes, but is not restricted to: Internet sites, chartrooms, social networking or directly calling the target organization and attempting to gather data. This information alone can give an organization a better understanding of their public Internet persona.
During a GDS Social Engineering engagement, consultants will identify and construct scenarios that could be used to gain access to restricted areas of buildings or sites belonging to the target organization. The object of the test will be to evaluate the organization and gain information that is considered sensitive. These scenarios will be discussed with the client organization, choosing those with measurable targets and allowing the organization to maximize the effectiveness of testing.
Onsite Testing Activities
GDS will make contact with a target organization via the scenarios agreed, either by phone, email or directly onsite. During this activity they will impersonate 3rd parties, trusted internal staff or even external contractors. The targets of these activities could range from obtaining user names and passwords, access to sever rooms or simulation of placing software or devices on the target network.
Remote Testing Activities
Consultants will call the target organization or send email attempting to illicit information from individuals. Remote Social Engineering also include the testing of an organization through the use of fake phishing attacks or trojans sent to the target company.
GDS delivers a detailed and comprehensive report at the conclusion of each Social Engineering assessment. All GDS reports are highly customizable depending on requested reporting requirements and typically include an executive summary, details of several scenarios that could be used to attack the organization, illustrative walkthroughs (including photographs) and full write ups of the scenario used during the testing. The report will also contain recommendations on how to improve the social defense of the organization.