Social engineering, in a security context, is a term that refers to the manipulation and/or deception of people for the purpose of information gathering, fraud and/or unauthorised access to information systems and assets.
A Social Engineering Review is a complementary Cyberis service that is commonly requested when a comprehensive understanding of information security assurance and risk is required in an organisation.
In recent years, external compliance and audit programmes have become more arduous; it is a common expectation that policies and procedures are operationally tested to verify their effectiveness throughout an organisation.
Social engineering can evidence conformance to many aspects of information security policies and procedures, as well as measure the effectiveness of education and awareness programmes. Where assurance is not immediately achieved, the identified non-conformances or wider cultural issues can be addressed. Cyberis will guide you through remediation planning to address concerns in a pragmatic, cost-effective manner.
The Cyberis review will be tailored to your assurance requirements and business objectives. Reports and debriefs are also tailored to requirements, structured as an audit or in a risk-based format. Debriefs are often used as an opportunity to emphasize security weaknesses by practical demonstration and by the presentation of convicting evidence, if found, to influence security views and leverage a number of security objectives. Certain evidence, where there is no discrimination against individuals, can also be used for training and education purposes.
In all cases, it is useful to combine a social engineering review, with other assurance tests, such as a physical security test or a penetration test, in order to fully understand the impact of security weaknesses and vulnerabilities from beginning to end. The approach and objectives can take many forms, including:
- Open, non-specific review
- Targeted against a geographic location; such as a regional, overseas or satellite office
- Targeted against an entire organisation, subsidiary, department or team
- Targeted against information assets, or information systems
- Set of challenges
- Set of review criteria
With social engineering, formal constraints and limitations of the review are particularly important, and will be planned to ensure the rules of engagement are clear and techniques in scope are detailed - such as technical e.g. 'phishing', telephone, postal mail or through direct face-to-face interaction.
- Understand how the manipulation and deception of people in your organisation might impact your information security posture.
- Assurance of conformance to information security policies and procedures
- Review the information security culture of your organisation
- Review the effectiveness of training and education programmes