In Part 1, we examined the various types of (technical) penetration tests that can be used to gain assurance regarding your organisation’s vulnerability to a cyber-attack or accidental breaches.
In short, a penetration test is designed to measure the level of technical risk arising from the software and the efficiency of your current security controls.
Read Part 1 HERE.
However, as important as the technical threat might be – we must also reflect on the fact that people somehow facilitate the vast percentage (80 to 90%) of cyber-attacks. It is essential, therefore, to pay attention to the human threat (whether malicious or accidental) as part of a robust penetration testing process.
This edition of Insights considers the human threat and how to test our defences against it.
People and Human Science
To “hack” people, which is essentially what social engineering is all about, cyber criminals need to understand the basic human behaviours and traits that make us susceptible to being tricked into doing something we should not do.
Human science studies the philosophical, biological, social, and cultural aspects of human life, and organised (well-funded, sometimes nation-state-backed) cyber criminals employ the services of human science and psychological experts. This helps them create successful social engineering attacks – with the most well-known and reported, “Phishing”.
“Social engineering uses manipulation, influence and deception to get a person, a trusted insider within an organization, to comply with a request, and the request is usually to release information or to perform some sort of action item that benefits that attacker.”
“The World’s Most Famous Hacker”
Why test our human defences?
Recent data provides more than sufficient evidence of the threat, from which we must create and maintain a solid cyber security strategy. In turn, our strategy should be tested to measure its effectiveness:
- 91% of cyber-attacks launched by sophisticated cyber criminals, start through email
- Emotional “lures” are fear, excitement, authority, topical issues and high demand
- 97% of malware targets users through Social Engineering attack
- 15% of people scammed, will be targeted again within the year
- Human error is the number one cause of data breaches & data loss
- Cybercrimes cost businesses £4.85 trillion worldwide in 2021
- Cybersecurity spending only reached £139 billion in 2022
- The cost is 47x the investment by organisations, to protect themselves
- Only 52% of employees receive any data protection or cyber security training
The big question:
What kind of “human” penetration test (or tests) does your organisation need to invest in to help protect itself adequately from these kinds of attacks?
Types of Testing Methodology
Below we take a deeper dive into “human” or social engineering-based penetration testing, examining the logic and benefits of each test type – and in what kind of scenario they are most effective.
Physical Penetration Testing
While obvious cyber security efforts should focus on securing your technical systems and networks, it is essential to pay attention also to physical security. Physical security is, in simple terms, the measures you should have in place to prevent access to your buildings, site, infrastructure, systems and employees.
Therefore a physical penetration test objective is to gain access to all of these key assets – to expose any weakness or gaps in your defences. From the results of this test, your organisation can improve and mitigate against the risks highlighted in the testing process.
What does it look like in real life?
A tester may simply try to walk onto your site and gain access through doors (either using a fake ID or “tailgating”, which entails walking within/amongst a group of legitimate individuals and passing through un-checked).
Once on site, the attacker may attempt access to offices, physical data (stored in cabinets, for example), or even get into server rooms.
Their objective is to push the envelope as far as possible, staying on-site for as long as they can before being discovered (if at all), obtaining as much information and/or resource as they can, taking photographs and/or collecting items of evidence to prove how long they stayed on site, and what they had access to when there.
- Exposes weaknesses and vulnerabilities in your defences
- Flaws can be addressed, and gaps closed, reducing your risk and impact
- Mimics real-life attack methods and gives a taste of the impact of an attack on our organisation
- Strengthens your physical defences and layers of security
- Demonstrates to your employees the importance of Zero Trust and signs to watch out for
Social Engineering (Phishing, Smishing and Vishing) Testing
Social engineering penetration testing employs the technique of carrying out a controlled “attack” (using methods such as phishing, smishing or vishing) on company employees. The objective is to determine the organisation’s level of susceptibility to a social engineering attack, from which appropriate measures and improvements can be implemented.
These tests are usually carried out in 4 phases:
- Opensource intelligence (OSINT) gathering
- Planning and approval from the client
- Execution of the testing campaign
- Analysis and reporting of results
Often referred to as a “phishing email”, attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware or direct them to a malicious website. The term ‘phishing’ is mainly used to describe attacks that arrive by email.
Categorised as a type of social engineering attack that relies on exploiting human trust rather than technical exploits. “SMS” (text) is, in this instance, deployed; therefore, Smishing simply uses text messages instead of email, with the same objectives as Phishing
During a vishing phone call, a scammer uses social engineering to persuade employees to share personal information and financial details, such as account numbers and passwords. Vishing is a form of phishing that deploys a human interaction over the telephone, with the “V” in Vishing relating to “Voice”.
- Identifies risks and vulnerabilities in processes that rely on people to be diligent and aware
- Demonstrates the impact of a real-life social engineering attack
- Provides insight into what your people are doing well and what needs more focus and attention
- Raises awareness of the generic cyber threat and is the first step in building your human firewall
A red team exercise is a form of penetration test with goals different to the other tests covered in this edition of Insights or within Part 1 of “Different Types of Penetration Testing”, published recently.
Whereas other tests focus on identifying and exploiting vulnerabilities, a red team is very much target-driven – aiming to gain access to pre-agreed resources by exploiting weaknesses anywhere within the client’s organisation (either technical or human in nature).
The context of a “red team” is not unique to cyber security, as it is deployed in many other fields – such as airport security, law enforcement, the military and intelligence agencies.
In cyber security, red teaming is carried out by “ethical hackers”, conducting (what looks like) a real cyber-attack using the same methods and tactics a real cyber attacker might use.
This creates a highly realistic scenario and is valuable in assessing how well an organisation can defend itself in the face of a real attack.
- Assess how well the client will defend against real cyber-attacks
- Tests the effectiveness of existing technical and human defence and controls
- Identifies any new risks to be aware of
- Mitigation (resulting from the read team exercise) of risks
- Red teaming might highlight a weakness(es) that other types of test overlook or miss
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
Cryptographer, privacy specialist, and writer
This edition (Parts 1 and 2) proves that penetration tests are crucial to an organisation’s security strategy. They serve as a useful tool for examining whether an organisation’s security policies are genuinely effective and can help to plan towards improved defences and reduced cyber risks.
Proper scoping and context are key to investing wisely and adding value every step of the way. We strongly recommend that your investment in penetration testing is proportional to your risk, and that you use a reputable and experienced provider.