General security

How to Plan a Social Engineering Assessment

Jesse Valentin
February 3, 2014 by
Jesse Valentin

A social engineering assessment is a very valuable tool in understanding the security exposure of most organizations. Since human beings tend to be the weakest link in any security strategy, this work can quickly identify which areas need to be addressed in the timeliest fashion. Another factor that needs to be remembered is that human beings can also be very unpredictable, depending on the circumstances in which they find themselves. For this reason it is imperative that the Information Security professional knows how to architect, organize and carry out a successful assessment.

Keeping the above mentioned factors in mind, one of the most important items to remember is SAFETY. This is critical for the security professional, the client, as well as any other individual that may become involved. During the social engineering assessment, it may be necessary to engage in activities that could be viewed as "threatening" or "suspicious" from the standpoint of any observing individual that is not aware that an assessment of this type is underway. Since the accuracy of the assessment depends on keeping the planned activities confidential, the great majority of employees will be unaware that the assessment has been sanctioned by their organization. In view of this, it is imperative that the security professional be an individual that can maintain vigilance, professionalism and demonstrate good judgment in every circumstance that may present itself.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

This information is important to keep in mind as world events in current society have resulted in an escalated level of fear and nervousness in most individuals. Some people may take matters into their own hands if they feel threatened. Since it's impossible to predict how a specific person will act in this type of situation, the best solution is to be prepared and try to anticipate what may occur in any given scenario. Most of the audit points for a social engineering assessment will be focusing on the effectiveness of the client's information security program, policies, physical security controls and security awareness training. Understanding this objective will help to craft audit activities that will gauge the client's overall exposure.

So, what are some points that should be remembered when planning this type of review?

WORK TO CREATE A SAFE WORKING ENVIRONMENT

The first logical step in working to create a "safe work environment" is to organize your assessment – think about the areas that need to be reviewed and how best to measure the security posture for each area. Some potential audit activities could be:

  • Security Awareness Tests (Challenging employees in direct situations)
    • Phishing Attempts (How do employees react when receiving suspect emails and requests?)
    • Unescorted attempts to enter authorized areas (What is the reaction of employees and security personnel?)
    • Connecting to the company network in authorized areas in plain sight
    • Soliciting confidential information through phone calls and emails

Once you've identified the relevant areas that will be reviewed, the security professional should start a mental "walk through" of the different scenarios that can be created to assess each area. This is especially useful in the case of any attempts against physical security mechanisms.

The purpose of this is to try and anticipate what may occur during each situation. For example, some questions that may arise are:

If I attempt to enter an authorized area of a building or office:

  • Which security components may be invoked?
  • Does the building or office employ armed security personnel?
  • Will the local police department be contacted?
  • What is the client organization's policy regarding employees and weapons?
  • Has the client dealt with past cases of employees bringing weapons to work?
  • What is the plan of action in the event anyone attempts to take matters into their own hands?
  • Will the security professional be in danger of assault or other types of problems?

As a security professional, it is very important to seriously ponder questions like these so that the safety of all involved can be protected and possible solutions can be developed for each scenario. A part of these solutions is to prepare accordingly before the assessment. To do this, the following steps should be implemented:

  1. Identity Card – The security professional should have a company identity card issued to them from their employer. This card should clearly show the security professional's headshot, official title, employing company name, date of employment, etc. In the event the security professional is challenged by law enforcement, having this type of identifying information is helpful. This should be carried with the security professional during the assessment.
  2. Government Issued Identity Card – Having an ID card such as a driver's license, passport or other government issued identifier is also very important. This should also be carried with the assessor during the review.
  3. Client Authorization Document - Before engaging in your assessment activities – speak with your client at length about the activities that will take place and be sure to have the client compose a notarized letter on official company letterhead and signed by the CEO or another high level individual authorized to permit the activities. Be sure to include a contact number for the individual signing the document. The document should briefly state that the company has engaged the security company to perform a Social Engineering assessment and contain the name and title of the security professional performing the work. The date(s) of the assessment, the targeted geographic location(s) and the specific activities that will take place at each location should also be specified. This letter should be carried with the assessor during the review of activities so that it can be presented if needed.
  4. Contact local law enforcement – Prior to the start of the assessment, the security professional (preferably in person with the client present) should contact the local police department to inform them of the activities taking place on the scheduled date. Bear in mind that from the perspective of local law enforcement, simply placing a call to them can be construed as a social engineering attempt to prevent them from responding properly. In view of this, making an in-person visit to the local precinct along with the client's representative is very beneficial. When making this visit, you would ask to speak to an administrative member of the police department to open a Request for Service record. This is basically a written record that provides law enforcement with an understanding that a "security drill" will be occurring and a copy of the official document can be requested. When visiting the police department, be sure to dress appropriately and provide thorough identification. (Every police department may have a different process, so be sure to contact them well in advance of the planned assessment date).
    1. Some police departments make this process available online, so be sure to check the local precinct's website to determine what may be available. If this option is chosen, be sure to obtain a copy of any record that is created and ensure that the assessor also has this in their possession during the review.
    2. Another option when contacting Law Enforcement is to coordinate through your client's physical security leader. Depending on the size and nature of your client's business, the onsite security team is oftentimes led by a person with past law enforcement/military experience and normally has created a relationship with the local police department. Involving this leader in the preliminary planning stages can be very helpful and also provides you with a trusted representative with which to communicate information to law enforcement.

      Even after taking these proactive measures, keep in mind that the police department must still maintain a state of readiness and they will respond to any calls of possible threats. Completing these steps however, helps to establish a credible chain of events that can be used if a detailed explanation to law enforcement becomes necessary.

RESEARCH THE CLIENT FACILITY

Another helpful step when preparing the assessment is to research the client facilities being audited before visiting the location. This step can assist the security professional by understanding the geographic location of the building, the overall configuration of entrances and exits, the proximity of the building to populated areas and neighboring businesses or organizations. Having this information beforehand can help the security professional to plan appropriate audits and use some of the settings to their advantage. Internet mapping sites can be very helpful in gaining an initial "bird's eye view" of the audit location. Many of these sites offer satellite and street views of the vicinity which can provide much information about street traffic, the overall demographic in the area and whether it will be difficult for the auditor to be inconspicuous. Obviously an audit location in downtown Manhattan will be very different from a location in rural North Carolina and these will require a different approach by the auditor. Having this information beforehand can help a great deal with preparation and planning the best way to go about the audit.

RESEARCH ON ORGANIZATION EMPLOYEES

In addition to this, take the time to begin scouring the Internet for any information you can locate regarding employees at the organization. The goal is to become familiar with key names, title naming conventions, office locations, etc. Aside from gaining information on higher level executives, take the time to also locate information on facilities personnel, cleaning and other lower level functions in the company. Having this information will add the air of authenticity to the assessor's requests when starting attempts to gain information through unsolicited phone calls. Depending on the type of information being requested, this exercise will thoroughly test the employee's response and whether additional security awareness training is needed. To test what type of information can be found on your organization, visit www.google.com and using the Advanced Search option, enter pertinent terms that will focus your search to very specific values.

PLAN DUMPSTER DIVING ACTIVITIES

When examining these locations initially look for dumpsters that may be located on the property, possibly in a secluded rear section of the parking lot in preparation for dumpster diving. Many times this results in the harvesting of large amounts of sensitive information that can be used in the course of the assessment. This will also gauge the effectiveness of the information security program and the client's approach to disposal of sensitive information. For this exercise you may want to invest in a small box cutter, a box of latex surgical gloves, large Ziploc bags to store your evidence as well as a small supply of zip ties for resealing any opened bags. This portion of the work can either be done at night or in plain sight during the day. Choosing daylight hours for this activity will thoroughly test the vigilance of organization employees as well as being able to determine if the company has trained their employees on how to properly report suspicious activity.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Obviously there are many more components that can be added to a social engineering assessment, but this article serves as a starting point for planning very basic activities and proactive measures to protect the safety of all involved and ensure the best results!

Jesse Valentin
Jesse Valentin

Jesse Valentin is a security professional with 18 years experience in Information Security. During this time he has worked for various financial firms, security consulting companies and non-profit organizations where he has specialized in areas of Enterprise Risk Assessments, Compliance Readiness, IT General Controls Audits, development of Incident Response plans, Corporate Information Security Programs, Security Awareness Training and Secure Application Architecture.