A social engineering test presents a challenge to your IT security team like no other.  Typically, advanced systems can manage technical points of entry into your environment with firewalls, logging, SIEM systems, malware scanners, etc.  However, when the point of entry into your system is user error, things become much more difficult to manage.

During one of our network vulnerability assessments, we were engaged to perform a social engineering test.  We decided the most effective test would be a spear phishing attempt.  Spear phishing is a modified form of phishing where the attacker utilizes some level of intelligence about their victim in order to establish a basic level of trust.  This allows for a far higher rate of compromise than a standard phishing attempt that is often thwarted by something as simple as a SPAM filter.

To prepare for our spear phishing expedition, we visited this company’s public web site and did some generic web searches to learn a little bit about what their public profile looked like.  Armed with this information, we identified an executive in the company and crafted an email appearing to come from this person addressed to a handful of specific users we identified through our research.  This executive encouraged the users to go to the company website and register themselves for a new self-service portal built by their friendly IT team.  All they had to do was click on the link provided in the email and confirm their identity by providing their login and password.  Unnoticed to many of the users, this email and website were both registered to a domain name that wasn’t their own.  Out of 16 emails, we received 12 sets of credentials from users within a 24 hour period.  It would be accurate to call this a failed social engineering test on the part of the business.  No matter how much time and money you spent to secure your network, it was just short-circuited by a lack of attention to detail by a handful of users.  In this case, we even received credentials from users we never sent the original email to. It turns out that some of the users were so helpful, they went ahead and forwarded it to a few other users within the organization.

Your security posture is only as strong as your weakest link.  User apathy in the face of fraud and limited retention of fundamental security training could have caused a major security breach within the system.  Be sure to set sensible standard operating procedures and train your users on them.  Then, reinforce this training with random testing.  Weaving security into the culture of your business is the best way to convert your user base from a vulnerability into a strength.