Social engineering against security policy : How to infiltrate company's premises using social engineering?
Sillanpää, Miika (2019)
Sillanpää, Miika
2019
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2019121025740
https://urn.fi/URN:NBN:fi:amk-2019121025740
Tiivistelmä
Social engineering is as old as human beings and has been used for a thousand years in some way such as non-verbally and orally. Today it is still a very potential attack vector, and everybody could be its target. The assigner company was a target of social engineering attacks and all techniques and skills used were meant to measure their personnel’s resilience to spot and even stop these attacks from occurring. In addition, the results show how dangerous such attacks can be.
The task was to investigate how employees respond and how they work with regard to social attacks. Information about the company was collected passively in order to find out what all potential attackers see on the Internet. Maltego software was used here. In addition, the trend of phishing emails and the connection factors between the most clicked phishing emails were investigated.
The background information was collected through a survey the results of which were analyzed bearing in mind the security policy. The goal was to measure employees’ security awareness and culture. Gathering information about the company was the first step. Based on that information, physical penetration cases were created, which measured and compared the information of the survey and the cases. The data of phishing emails was used to identify the trend and connection factors between the most clicked phishing emails.
On paper, the security culture was good; yet, not perfect. The reality differed much from the paper. Publicly available information did not reveal critical information but did provide attack vectors. Social media was the most successful way of phishing email. Social engineering is a real threat to business. The only way to defend against this is to improve the security culture for the first line of defense which in this case is the people themselves.
The task was to investigate how employees respond and how they work with regard to social attacks. Information about the company was collected passively in order to find out what all potential attackers see on the Internet. Maltego software was used here. In addition, the trend of phishing emails and the connection factors between the most clicked phishing emails were investigated.
The background information was collected through a survey the results of which were analyzed bearing in mind the security policy. The goal was to measure employees’ security awareness and culture. Gathering information about the company was the first step. Based on that information, physical penetration cases were created, which measured and compared the information of the survey and the cases. The data of phishing emails was used to identify the trend and connection factors between the most clicked phishing emails.
On paper, the security culture was good; yet, not perfect. The reality differed much from the paper. Publicly available information did not reveal critical information but did provide attack vectors. Social media was the most successful way of phishing email. Social engineering is a real threat to business. The only way to defend against this is to improve the security culture for the first line of defense which in this case is the people themselves.