What are some best practices for security testing the human factor in social engineering scenarios?

Employ social engineering tests to assess employee susceptibility to phishing, pretexting, or other manipulation techniques. Tailor scenarios to mimic real-world threats, provide feedback and training based on results, and foster a culture of security awareness. Regularly update testing methods to reflect evolving threats and reinforce vigilance among employees.

Learning from past incidents is one method to define a scope. Attempt to identify common spam or phishing attacks your organization were targeted and use as an example to your security awareness campaign.

There are open source options for phishing campaigns. After identifying and educating your users, try to mimic the common attacks received by your organization and list users that are still not following the best practices. You can create specific campaigns for those who fail more than 3 tests for example

Social engineering starts within an organisation: [ We do the following to learn better and mitigate these kind of social engineering attacks in the future ] 1. How about social engineering your team members? Example: Try to look at their keyboard when they set the password and try to see if they end it with @123 or some other numbers ;-) 2. How about sending a spoofed email that ends with the company domain name and requesting them the sensitive information [ Example: Database Access or Administrator Access ] while you intellectually craft "Reply-To" email address to your personal email address assuming that before sending with sensitive details, most of the people might not observe the "Recipients email address".

Think about the following when you are deciding the ethical and legal guidelines: 1. What Jurisdiction is applied to your company based on the target audience / customers it serves? 2. What does ethics mean to your members in your company and does it really collude with all the team members as a unity or there is a collision in terms of believing / understanding among the members? 3. Come up with the ethical principles that works for your business and make sure they are practiced with great due diligence and in an effective manner. 4. Most people in my experience do not understand, "How to destroy the digital documents / files or USB sticks and so on." Train the members. Example: Stop using horizontal or vertical shredders for papers. Why?

Leverage established frameworks like MITRE ATT&CK or the Social Engineering Framework to structure the test and ensure a comprehensive approach that covers multiple attack vectors.

Essa abordagem da colabora??o entre equipes de seguran?a e departamentos de recursos humanos integrada fortalece a resiliência organizacional contra amea?as baseadas em engenharia social e promove uma compreens?o mais ampla dos riscos associados às intera??es humanas no contexto da seguran?a cibernética.

Debemos educar al personal proporcionándole ejemplos de ataques, mejor aun, que puedan vivirlos, como temas de phishing, ense?arle a los colaboradores como poder identificar las técnicas de ataques, esto puede llevar a tener una buena cultura de seguridad en la empresa.

After conducting the test, provide training and feedback to the targeted individuals or teams. The goal is to enhance their awareness and improve their ability to recognize and respond to social engineering threats in the future.

Regular phishing simulation campaigns are vital for employee training. Gophish is a widely used tool for such purposes, but it's crucial to configure it carefully to evade detection by security solutions. This includes altering headers that reveal Gophish use and purchasing a domain closely resembling the audited company's. Crafting compelling pretexts to entice targets is vital; such narratives can be enhanced with AI tools like GPT-4.0. Host on a VPS prepared for potential spam blockages, separate from production servers to avoid provider issues. Embrace modern phishing techniques, like OAuth forms or evasion-ready malware, to identify and educate on the latest threats.

Practice these exercises to train. Examples: #SE01 → Your target resides in a different country & you want to spy on all activities on his computer Context: // He connects to internet to check his email // He uses anti-virus that is a free edition // He is attracted to piracy & porn Write down your approach or your thoughts about gaining access to his every bit of data on his computer. #SE02 → You want to know the IP address of a target & you need to know this without the knowledge of the target. More context: // Target is available on social media platforms. That’s twitter. // Target likes freebies #SE03 → You need to get into a physical infrastructure of a multinational company. What are your ideas to get through the security guard?

Adicionalmente, é importante ressaltar a importancia da colabora??o entre equipes de seguran?a e departamentos de recursos humanos durante a execu??o de testes de engenharia social. A integra??o dessas áreas permite uma abordagem mais holística, considerando n?o apenas as vulnerabilidades técnicas, mas também os aspectos comportamentais e culturais dentro da organiza??o. Além disso, incentivar uma cultura de comunica??o aberta e relatórios transparentes sobre incidentes simulados contribui para a constru??o de uma mentalidade proativa em rela??o à seguran?a.