|
Criminal hacking is no longer a purely technical activity. As awareness of technical security issues and their countermeasures has improved, attackers are increasingly employing other methods to circumvent security controls - such as exploiting unsuspecting users. Thus, the approach of purchasing individual "silver bullet" solutions like firewalls, IDS and IPS must be replaced by an holistic view of security that embraces technology, physical controls and people too.
Staff awareness of social engineering is often particularly weak, leaving most organisations open to abuse both remotely and in person. Covert attacks such as key loggers and web cams are on the increase but most organisations have no way to detect them because users simply do not know what to look for.
So, in today's environments, people are the most important factor in securing your organisation. But how security aware are they? How do you test your "human firewall"?
Over the past fifteen years, our consultants have conducted numerous penetration tests for some of the largest organisations in the world. Our experience in simulating such attacks has led us to develop a unique approach that combines real-world criminal methods and tools that test the technical, physical and social aspects of your security - hence the term "blended attacks" - a service therefore that also tests the strength of your human firewall.
The output of such an exercise will highlight cultural and psychological areas of vulnerability and so provide a platform upon which to build a security awareness campaign that is fully tailored to your organisation. The results will also highlight key areas in which your policies could be refined, ensuring that your organisation really is as secure as possible.
To this end, our skilled personnel can employ a variety of methods in a combination that you specify, such as:
| Identity theft | We impersonate an employee or trusted third party, such as a cleaner or contractor. We gain access to your premises and attempt to steal legitimate logon credentials, using snooping techniques and devices such as key loggers. |
| Phishing attacks | We craft e-mails that appear to come from within your organisation or trusted partners, in order to deceive your staff into divulging information. This may involve constructing a web site that mimics your legitimate site, or creating a Trojan program to gain access to their desktops. |
| Telephone calls | We can test your help desk security by attempting to persuade them to divulge information or reset remote access passwords. We can target employees to encourage them to divulge confidential or sensitive information. We may also use telephone social engineering to obtain background research for other types of attack. |
| Physical access | We attempt physical access to one or more of your sites to test your physical security. We impersonate an employee, delivery person or visiting engineer - using background research we forge name badges and wear appropriate clothing. We also try to gain access to secure areas such as comms rooms and executive areas. |
| Network access | Whilst on site, we attempt to connect to your network, perhaps in a meeting room or at a vacant desk. We conduct a network mapping exercise and also try to harvest sensitive or confidential information. |
We can also assist you in producing training and awareness campaigns. Please click here for more information.
| Want more information? |
|
