Social Engineering & Phishing

Arbala Systems can perform constructed social engineering and phishing attempts to test the effectiveness of security training and help you create an enterprise-wide awareness program to decrease the “insider” threat.

Social Engineering Services

Social Engineering is an effective, non-technical means for an attacker to infiltrate the organization and secure a foothold by exploiting the “good nature” of human personality. As an example, one common route for social engineering involves an individual contacting a help desk claiming to be someone they aren’t. As a result of the help desk staffer wanting to help the individual on the phone, they either disclose information they shouldn’t have disclosed or give unauthorized access to someone they shouldn’t have.

To kickstart a social engineering assessment, Arbala Systems utilizes client-supplied information to quickly determine the most likely areas for social engineering success. With this information gathered. We: request and review the policies, support information and processes of the target within the organization; identify potential attack vectors, either provided by the customer or identified during the data gathering and review phase; construct an attack around those specific attack vectors and provide a window of time that the attacks will be run (communicated only to the key stake holders); construct a limited communication plan that details the appropriate measures that should be taken to manage any support or incidents that may arise during the orchestrated attacks.

Phishing Assessments

Phishing is a sub-category of social engineering that is very specific to email and was identified by IT executives as the top future cybersecurity threat. It has been the root cause of many recent breaches and even led to an expensive OCR settlement towards the end of 2015.

In a standard phishing scheme, an attacker constructs an email to look like it’s coming from a trusted source (e.g., bank, insurance company, well-known brand, etc.) with the intent that the recipient will assume the contents of the email must be trustworthy because they came from a trustworthy source. In reality, the links in the email are to a nefarious location constructed to extract information from the recipient through various technical means. The data lost in these types of attacks can be as simple as a user being tricked into typing in their user credentials to “confirm them” (thereby giving the attacker their credentials to log into their account) or as extensive as theft of data residing on the target computer by way of a web-based script that retrieves select information from the target’s computer without them ever having done anything other than click on a few links.

To facilitate a phishing assessment, Arbala Systems utilizes a combination of insider knowledge and the latest trends in phishing to achieve a realistic scenario designed to entice employees into investigating the email and handing over restricted or sensitive information. Findings from this study provide insight into the workforce’s ability to take a critical eye to suspicious emails, as well as deliver detailed reporting about how far into the phishing net they swam (and the information they might have divulged should it have been a real attack).

Our phishing assessment has helped thousands of users become more knowledgeable of deceptive phishing efforts, and it will help you create a culture of cybersecurity awareness and empower your staff to be more cautious of suspicious emails.