Social Engineering provides you with the information it needs to:
- Remediate physical and electronic vulnerabilities that put your data, employees, and company at risk
- Focus security awareness training programs on the areas and technologies that pose the greatest risk or validate the effectiveness of an existing training program
- Limit the growing risk of CryptoLocker and Ransomware
- Strengthen policies, procedures, and controls to reduce future risks
- Provide assurance to management and executives that its users are aware of cyber security risks
Elevate performs the following social engineering exercises:
Email Phishing Social Engineering
Elevate develops customized emails and sends them to individuals and groups within your organization in order to attempt to entice the users to click on an external link that will either attempt to gather sensitive information or deliver a malicious payload onto their desktop, laptop, or server. Elevate works with our clients to plan, develop, and execute this exercise according to your goals and requirements.
Vishing Social Engineering (Telephone Hacking)
Elevate conducts a reconnaissance phase to identify trusted individuals, usually Information Technology personnel, with the purpose of collecting sensitive information over the phone about other individuals working for you. Elevate will collect information using social sites, such as LinkedIn, Facebook, etc., to select the targets for the Vishing exercise. The information collected during the Vishing exercise is used during the “Onsite Impersonation” phase of the social engineering engagement.
Onsite Impersonation Social Engineering
The information collected during the Vishing exercise, as well as any other information obtained during the email phishing test, is used to impersonate an employee, vendors, etc.
Elevate conducts intense reconnaissance into the target in scope by observing foot traffic and common dress style in the environment, noting security guard rotations, checking for any 3rd party suppliers, etc. Through the surveying and analysis of the target’s environment, the Social Engineer would then select the best approach to blend in with the environment and create an elaborate pretext to be able to infiltrate the facilities and premises. Many of these scenarios involve different costumes and attire and creating fake aliases and fake profiles, to attempt to convince the targeted employees.
Once access to the client’s facilities has been obtained, the next step will be to try to get access to critical systems and applications hosting sensitive data. The final phase is the exfiltration of data from the onsite facilities (Elevate will not execute the process of data exfiltration, but it will demonstrate the opportunity to do so by taking pictures, and/or other evidence that this has taken place.)