Historically, customers have used penetration testing to test the security of their infrastructure from an external or internal perspective. For a long time, this has been the ‘de facto’ standard to test for security vulnerabilities. However, we (penetration testers), have been aware for quite some time that this is not the full story.
In fact, just performing internal and external penetration test can lead you into a false sense of security, NO, literally! Just look at the recent scandals surrounding compromises of large corporations to see that companies are missing a vital aspect to their security testing: humans!
Sure, internal and external testing can check technical aspects but this is no longer the number one threat, in my view. Statistics speak for themselves; hackers are using social engineering techniques more and more to compromise corporations and access sensitive data.
Are companies taking this seriously?
Well, it’s been a long, slow, drawn out process to try and get social engineering on the map. However, recently, we’ve see an increase in customers requesting “Red Team” engagements, which is setting defined goals for the test using any means possible (including social engineering). This is a great step forward! Companies are understanding that humans will always be the weakest link to their security.
It doesn’t matter how much evaluation and review you have performed using your new glitzy firewalls and how much money you’ve spent on hardware. Attacks can be much simpler, like a finance employee receiving a loaded invoice from a ‘customer’ or HR receiving a CV from a prospective employee; which will completely bypass the security and install unattended and recognised backdoors.
How do you know your company is secured from these kind of threats? How do you know what links your employees click on or what attachments they open? It’s a rhetorical question! I’ve often wondered 'how are folks securing themselves from the real threat?' which has always been there from the inception of the Internet and before. Yes, I know you can purchase more ‘kit’ to try to filter out the malicious objects, but what about the objects that do get through? Are the employees aware of it? For the malware that gets through how do you know staff are aware of the risk?
Thankfully I think the message is getting through. In the last month alone we’ve seen several customers requesting this type of engagement. It can range from a basic phishing campaign, to a full blown red team engagement, where anything goes.
Phishing campaigns should be the bare minimum a company performs on a regular basis.
What better way to judge how successful internal security awareness training is, than by using a phishing campaign metric? For example, how many employees opened an email that was not work related but had some sort of offer? How many employees clicked on a link to receive that offer? How many employees went further and signed up on a website the link was sent to receive the offer? Finally, how many employees opened the ‘offer’ attachment sent to them?
If you have no idea about the percentage of employees vulnerable to this risk and you're assuming all is well; we wish you good luck! The analogy from a technical perspective would be installing antivirus and not updating it for several years. How do you know you haven’t been compromised? Well, you don’t (normally) but you wouldn’t think about not including regularly updating antivirus in any security policy you use internally.
I think the time has come to include the weakest link into our security testing, not just as a nice ‘add-on’ but at the forefront of the testing we perform. There are many free and not so free products out there that can help you perform the bare minimum given examples. Phishing frameworks are relatively simple to configure and deploy. It’s only down to your imagination how sophisticated your campaign is, who you want to target and how often you should do it.
Measuring the controls around these forms of attacks is the only way to show you have performed your due diligence, in which any internal security measures or training performed is having a positive effect on your employees! Without measuring it, you are at risk of keeping your head in the sand. Coining this with Anne Robinson's phrase “You are the weakest link…. Goodbye!”