Physical Testing & Social Engineering

• People are generally the weakest link in any security program. This includes both employees that deliberately steal corporate data and, more commonly, employees who, lacking the necessary understanding and awareness of IT security, make mistakes.
• Human error is the most common entry point into an organisation. Phishing attacks, social engineering and lack of security patching remain the most common attack points.

Off-site: A remote Social Engineering engagement involves the manipulation of the organisation’s staff by telephone or email in an attempt to get employees to divulge usernames, passwords, customer NPPI (Non-Public Personal Information) or other confidential information. Scenarios might include:

• Pretext Calling (e.g Employees and Help Desk Teams)
• Spoofing emails to make them appear like internal emails.
• ‘Dropped USB’ - luring employees to run payloads.

On-site: During an on-site engagement, Tesserent will use various techniques to gain physical access to obtain records, files, and/or equipment that may contain confidential information. The on-site engagement techniques typically include:

• Dumpster diving
• “Trusted Authority” disguises, such as fire inspectors, air conditioning repairmen, etc.
• Employee Impersonation (IT HelpDesk, New Hire and Auditor)

The aim of these engagements is to test for and improve, for example:

• Secure physical access to secure areas
• Proper Disposal of Sensitive Data
• Privacy Policy Awareness and Implementation
• Violation Reporting
• Access Privileges

Our ultimate aim is to help you better inform and educate your staff to be attack and hacker-aware.

Physical testing is a method used in cybersecurity to test the security of a physical facility, such as a data centre, by attempting to gain unauthorised access to the facility. The goal of physical testing is to identify weaknesses in the physical security controls of the facility and provide recommendations for improving security.

Social engineering is a method used in cybersecurity to manipulate individuals into performing actions or divulging sensitive information. Social engineering attacks can take many forms, such as phishing emails, pretexting, baiting, and tailgating. The goal of social engineering is to exploit human vulnerabilities and gain unauthorised access to a system or network.

Physical testing and social engineering often work together in a comprehensive cybersecurity assessment. Physical testing can help identify vulnerabilities in physical security controls, such as access controls and surveillance systems, while social engineering can help identify vulnerabilities in human behaviours and processes, such as password policies and employee training.

Some common physical testing techniques used in cybersecurity include lock picking, badge cloning, tailgating, dumpster diving, and wireless signal scanning.

Some common social engineering techniques used in cybersecurity include phishing emails, pretexting, baiting, tailgating, and watering hole attacks.

Physical testing and social engineering are important in cybersecurity because they help organisations identify vulnerabilities in their physical and social security controls that can be exploited by attackers. By conducting regular assessments and implementing appropriate controls, organisations can reduce the risk of physical and social engineering attacks and better protect their assets and data.