Physical Testing & Social Engineering

• People are generally the weakest link in any security program. This includes both employees that deliberately steal corporate data and, more commonly, employees who, lacking the necessary understanding and awareness of IT security, make mistakes.
• Human error is the most common entry point into an organisation. Phishing attacks, social engineering and lack of security patching remain the most common attack points.

Off-site: A remote Social Engineering engagement involves the manipulation of the organisation’s staff by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI (Non-Public Personal Information) or other confidential information. Scenarios might include:

• Pretext Calling (e.g Employees and Help Desk Teams)
• Spoofing emails to make them appear like internal emails.
• ‘Dropped USB’ - luring employees to run payloads.

On-site: During an on-site engagement, Tesserent will use various techniques to gain physical access to obtain records, files, and/or equipment that may contain confidential information. The on-site engagement techniques typically include:

• Dumpster diving
• “Trusted Authority” disguises, such as fire inspectors, air conditioning repairman etc.
• Employee Impersonation (IT HelpDesk, New Hire and Auditor)

The aim of these engagements is to test for and improve, for example:

• Secure physical access to secure areas
• Proper Disposal of Sensitive Data
• Privacy Policy Awareness and Implementation
• Violation Reporting
• Access Privileges

Our ultimate aim is to help you better inform and educate your staff to be attack and hacker-aware.