IT security management and compliance company, RandomStorm, has published a book explaining how organisations can perform structured tests to check for security vulnerabilities that are created by human weaknesses such as gullibility, pride and fear.
The book, “Social Engineering Penetration Testing,” was published by Elsevier on 30th June 2014 and is written for information security practitioners, network and computer system administrators and IT professionals. It portrays real life scenarios to help to train employees to recognise common social engineering tactics, to stop an attack in progress. Examples are provided showing how criminals have used phishing; telephone pre-texting and physical props to manipulate employees into divulging information, or performing activities on their behalf that compromise information security, or put physical assets at risk. Furthermore, the book provides detailed frameworks that enable organisations to assess how well a social engineering penetration test has been performed by their security auditor.
RandomStorm co-founder and technical director, Andrew Mason, was commissioned to write the book following a meeting with Elsevier at Infosecurity Europe last year. His co-writers are Richard Ackroyd and Gavin Watson, Senior Security Engineer and head of the RandomStorm Social Engineering Team.
At this year’s Infosecurity Europe show, Gavin Watson presented excerpts from the book, in the Business Strategy Theatre, to a packed audience.
Andrew Mason explains, “We have shared some of the social engineering pen testing techniques that we have successfully used at client sites to access restricted areas or sensitive information. Using the book’s examples, organisations can gain a much better understanding of the many ways that criminals employ social engineering. We walk you through the practical steps to improving defences in response to pen test results.”
Gavin Watson continues, “Too many times, social engineering pen tests will simply involve an auditor donning a high vis vest, or carrying a coffee cup and trying to blag their way past reception. What our book describes is how to develop a full risk framework that assesses every social engineering avenue that could be exploited by a criminal targeting your organisation.”
“We want to get away from just putting a tick in the compliance box and help organisations to genuinely improve their security through comprehensive tests that underpin policies, processes and training.”
References:
- Elsevier: “Social engineering, penetration testing,” Gavin Watson, Andrew Mason, Richard Ackroyd, https://www.elsevier.com/books/social-engineering-penetration-testing/watson/978-0-12-420124-8
- Infosecurity Europe, Business Strategy Theatre, 1.20pm, 30th April 2014: “So you think your organisation is secure, think again. Social engineering, a view from the dark side,” Gavin Watson. http://www.infosec.co.uk/en/Sessions/4692/So-you-think-your-organisation-is-secure-think-again-Social-Engineering-a-view-from-the-dark-side
- Channel 4 Dispatches, 8pm Monday 14th May 2012, “Watching the Detectives,” Chris Atkins speaks to Gavin Watson about the problem of blaggers accessing personal identifiable data. http://www.channel4.com/programmes/dispatches/episode-guide/series-109/episode-1
- Raconteur, 21st March 2014, “People are ‘Wet’ with security,” Charles Orton-Jones talks to Gavin Watson about the human risk factor in information security http://raconteur.net/technology/people-are-wet-with-security
The Data Protection Act 1998, Section 55, “unlawful obtaining etc., of personal data.” http://www.legislation.gov.uk/ukpga/1998/29/section/55
