Social Engineering

Social Engineering is a technique that relies on exploiting weaknesses in human nature, rather than hardware, software, or network vulnerabilities.

Approach

ISEC web application penetration testing service utilizes a comprehensive, risk-based approach to manually
identify critical application-centric vulnerabilities that exist on all in-scope applications.
1. Information Gathering
2. Threat Modeling
3. Vulnerability Analysis
4. Exploitation
5. Post-Exploitation
6. Reporting
Using this industry-standard approach, ISEC comprehensive method covers the classes of vulnerabilities in the Open Web Application Security Project (OWASP) Top 10 2013 including, but not limited to: Injection, Cross-Site Scripting, Cross-Site Request Forgery, Unvalidated Redirects & Forwards, Broken Authentication & Session Management, Security Misconfiguration, Insecure Direct Object Access and more.

Email Phishing

Exchanges of sensitive information over email happen almost constantly, day in and day out. Yet, nearly all of these exchanges don’t go through the proper channels for authentication and authorization. ASC uses email phishing and spear phishing social engineering to target staff into visiting unknown websites, divulging sensitive information or getting them to perform an action they otherwise should not be.

Telephone/SMS

Much like email, exchanges of sensitive information over the phone happen at an almost constant rate. These days, the mindset that a telephone call is enough to authenticate a person is all too common. However, bad actors are moving away from email toward telephone social engineering. ASC uses telephone social engineering to target staff into divulging sensitive information or otherwise getting them to perform an action they should not be..

Fax

Requests for information via fax is a crucial of exchanging information and sometimes these faxes contain sensitive information. Too often these exchanges of information happen without fully authenticating or authorizing the requesting party. Fax social engineering aims to identify weaknesses in how faxes are managed and exchanged within an organization..

Onsite/Physical

During a physical social engineering engagement, ISEC engages staff directly (overt) or indirectly (covert) in an effort to identify weaknesses in the way they physically handle visitors and those pretending to be employees, vendors or business partners. ISEC masquerade as vendors, new employees, business partners and even employee family members in order to entice staff into divulging sensitive information or permitting access to sensitive areas of the facility.