Phishing & Social Engineering Campaigns

Malicious hackers can be very good at finding vulnerabilities in software and at the same time they can be extremely talented at exploiting human trust and behaviour. This is why CodeGrazer gives you the opportunity to assess your employees' reactions against a direct attack with two services: Simulated Phishing campaigns and Social Engineering campaigns.

Both services are similar in the sense that they both exploit human trust but differ in the way they are carried out.

A simulated Phishing campaign is done exclusively online and will target a set of employees of your company in a controlled environment. A standard phishing assessment involves the creation of believable email that will be sent to your employees. The email will contain a link to a site controlled by CodeGrazer's consultant and will invite the user to provide his credentials in order to perform a vital task for your company. At the end of the assessment, the consultant will deliver a report containing data as to who opened the malicious link, who provided valid credentials, who promptly discovered the attack and other users' related information.

Social Engineering contrary to phishing, generally requires more preparation. Social engineering entails the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. It has to do with the fact that your systems can be penetrated not just by hackers attempting to access remotely your IT infrastructures through IT-specific vulnerabilities, but also by ‘hackers’ who attempt to do so by exploiting the vulnerabilities of your employees and of your physical premises. Research has shown in fact that one of the biggest vulnerability of any organization are humans and in turn the physical environment that they inhabit – your office. A social engineering test would assess precisely this aspect of your overall (IT) security apparatus: how easy would it be for an external entity to access your building? How deep could they go into it and how much information can they access this way? Could they walk in and access your network and files? How much would your employees be liable to be exploited to this end? Before a social engineering test is carried out, rules of engagement are defined together with you and CodeGrazer and the consultant is assigned one or more targets to test in a capture the flag manner. Testing the security of your premises through a social engineering test can include a variety of activities and with a number of objectives in mind, for example:

• Access the premises of the building from the main entrance
• Access the premises of the building from any entrances.
• Access building A and gain access to R&D/finance department.
• Access finance department and take pictures of the office and of private documents.
• Access the building, find a network point and possibly conduct an internal penetration test without being detected.
• Access the building and connect a hacking device to the network. Exit the building and start hacking.
• Others may and should apply!

The consultant will spend days gathering online information (OSINT) about your company, your employees and the targeted building. Once enough information has been gathered, the consultant will be on site in incognito to study employees behavior (time of arrival in the morning, smoking and lunch breaks) and to write down information related to the building (necessity for a staff badge, potential ways in, main entrances, fire exit, presence of cameras or guards, open windows). Afterwards CodeGrazer's consultant will devise together with you one or more plans of action to get into the building (further details and techniques of social engineering are discussed and disclosed only to the client). Once a plan has been accepted, the consultant will have a day or two (depending on the number and the size of the locations) to perform the social engineering. Afterwards the consultant will deliver a report detailing the outcome of the devised plans together with recommendations for creating a user awareness program.

Are your employees the weak link in the chain? Discover it now!

By purchasing CodeGrazer's Phishing and Social Engineering Campaigns you will be able to:

• Assess the security of your Spam and Malware filters (phishing).
• Assess the reactions of your employees to a direct attack and the vulnerabilities of your premises (social engineering).
• Create a user awareness program based on the campaign discoveries.