It is widely accepted that one of the greatest threats to security is the human element. Enterprises quite rightly invest huge sums in developing secure architectures and deploying secure networks and devices, but fail to sufficiently educate their staff when it comes to security best practices. It is very rarely given sufficient attention beyond an annual security awareness email. Internal security awareness programs are recommended, and effective. However, often their effectiveness only lasts for a short period after - and soon old habits creep back in.
Social engineering offers a way to demonstrate to the business what can result from not paying enough attention to keeping security fresh on employee minds. Social engineering involves attempting to take advantage of any weakness in security – whether this be physical security such as a server room door being left ajar, or an obliging staff member who allows access without a pass or questioning unfamiliar faces. Any weaknesses found are highlighted in the report along with details of what the weakness resulted in the consultant being able to do (for example, gain unauthorised access to the server room and compromise the domain). Once it has been demonstrated to staff members what can result from their lapse in security, this often encourages them to be more vigilant in the future.
Social engineering engagements can be scoped to be as extensive as the client is comfortable with. They can range from purely remote investigations to determine what can be obtained about and from the organisation, to attempts at breaking into the client premises and gaining access to their internal network or secret files. All boundaries are agreed with the client beforehand.