SNEAKY FOX SECURITY SPECIALISTS offer a variety of security services needed to suit your organizations needs.
INSIDER THREAT PROGRAMS
Insider Threat programs are established to include controls and detect and prevent malicious insider activity through the centralized integration and analysis of both technical and non-technical information to identify potential insider threat concerns. In addition to the centralized integration and analysis capability, insider threat programs must :
Prepare insider threat policies and implementation plans.
Conduct host-based user monitoring of individual employee activities.
Provide insider threat awareness training to employees.
Receive access to information from all offices within the organization for the insider threat analysis.
Conduct self-assessments of organizational insider threat posture.
Insider threat programs can leverage the existence of incident handling teams that organizations already have in place, such as cybersecurity incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace including, but not limited to, ongoing patterns of disgruntled behavior with coworkers and colleagues. These precursors can better inform and guide organizational officials in more focused, targeted monitoring efforts.
In order for the establishment of these types of programs to be successful, an organization must have the time and skillset needed to implement and provide oversight for the program. However, even though more small businesses are being required to maintain these types of programs, little guidance is provided and often the organizations do not have the expertise in-house or the budget to hire an individual with the necessary skillset. Sneaky Fox can be outsourced to augment your current staff to help establish, implement, maintain and document these critical programs, though.
PENETRATION TESTING OVERVIEW
Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. It often involves launching real attacks on real systems and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities on one or more systems that can be used to gain more access than could be achieved through a single vulnerability.
Penetration testing can be invaluable, but it is labor-intensive and requires great expertise to minimize the risk to targeted systems.
Penetration testing should be performed only after careful consideration, notification, and planning. Penetration testing often includes non-technical methods of attack. For example, a penetration tester could breach physical security controls and procedures to connect to a network, steal equipment, capture sensitive information (possibly by installing keylogging devices), or disrupt communications.
Caution should be exercised when performing physical security testing—security guards should be made aware of how to verify the validity of tester activity, such as via a point of contact or documentation. Another nontechnical means of attack is the use of social engineering, such as posing as a help desk agent and calling to request a user’s passwords, or calling the help desk posing as a user and asking for a password to be reset.
SOCIAL ENGINEERING OVERVIEW
Social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks. It is used to test the human element and user awareness of security and can reveal weaknesses in user behavior—such as failing to follow standard procedures. Social engineering can be performed through many means, including analog (e.g., conversations conducted in person or over the telephone) and digital (e.g., e-mail, instant messaging).
Social engineering may be used to target specific high-value individuals or groups in the organization, such as executives, or may have a broad target set. Specific targets may be identified when the organization knows of an existing threat or feels that the loss of information from a person or specific group of persons could have a significant impact.
It is important that the results of social engineering testing are used to improve the security of the organization and not to single out individuals. Testers should produce a detailed final report that identifies both successful and unsuccessful tactics used. This level of detail will help organizations to tailor their security awareness training programs.
RVC’s preferred testing methodology is white box social engineering testing. In white box social engineering testing, RVC has full knowledge and access to the target system and its internal workings, allowing them to conduct a comprehensive audit and identify vulnerabilities from an "insider" perspective.
A White Box Test can be accomplished in a much quicker time frame when compared to a Black Box Test. White box social engineering assessment helps our clients to learn how much damage could occur from leaked data or a rogue insider. White box testing is more effective when it is necessary to fully test the selected group of employees and its proneness to future social engineering attacks.
The term “white box testing” was originally used to describe a form of software testing where detailed information on the software application was provided to the person reviewing the code. The same principle can be applied to other areas of review, such as social engineering testing.
Determining which method to use depends on what the client is trying to accomplish. If the audit is to test the client’s employees’ susceptibility to social engineering, then having the client provide a list of employees and contact information streamlines the process and makes the testing more comprehensive.
PHYSICAL TESTING OVERVIEW
In addition to the technical techniques, there are many non-technical techniques that may be used in addition to or instead of the technical techniques. One example is physical security testing, which confirms the existence of physical security vulnerabilities by attempting to circumvent locks, badge readers, and other physical security controls, typically to gain unauthorized access to specific hosts.
Another example of a non-technical technique is manual asset identification. An organization may choose to identify assets to be assessed through asset inventories, physical walkthroughs of facilities, and other non-technical means, instead of relying on technical techniques for asset identification. In some cases, techniques such as dumpster diving and physical walkthroughs of facilities may be used to collect additional information on the targeted network, and may also uncover additional information to be used during the penetration tests, such as passwords written on paper.
Penetration testing often includes non-technical methods of attack. For example, a penetration tester could breach physical security controls and procedures to connect to a network, steal equipment, capture sensitive information (possibly by installing keylogging devices), or disrupt communications.
IN-PERSON SOCIAL ENGINEERING
Physical testing is not all about picking locks and bypassing security systems — a large part of an onsite physical penetration test involves social engineering. In-person social engineering penetration testing assesses an organization's security posture by simulating real-world attacks that rely on human interaction and trust. It helps identify vulnerabilities by evaluating how easily attackers can trick employees into revealing information or accessing systems.
Infiltrators fabricate a scenario, or pretext, to gain the trust of an organization’s first line of defense, such as security personnel or receptionists. An infiltrator might pose as a legitimate entity — such as a co-worker, police officer, bank official, delivery person, job applicant, or technical support, to manipulate employees into providing sensitive information or granting access to restricted areas.
Social engineering is a tactic used to exploit the vulnerabilities of human psychology. By leveraging this approach, infiltrators can gain unauthorized access to sensitive information and carry out harmful actions. And by creating emotions such as trust, urgency, kinship, authority, stress, or pity, infiltrators manipulate victims into taking risky actions.
Tailgating, also known as piggybacking, involves an infiltrator seeking to gain entry to a restricted area without proper authentication by following closely behind an authorized individual. An infiltrator often relies on the courtesy or distraction of the authorized individual, who holds the door open, not realizing they are allowing access to an unauthorized person.
PHYSICAL PENTESTING METHODOLOGY
RVC’s preferred testing methodology is white box testing. In a white box physical penetration test, RVC is given comprehensive internal knowledge of the physical infrastructure and security measures, simulate a targeted physical attack, focusing on vulnerabilities that could be exploited by an insider or someone with specific knowledge.
White box physical penetration testing differs from black box testing in that the penetration tester has access to detailed information about the target environment, including floor plans, employee ID information, network diagrams, and security measures.
Often, organizations request a physical penetration test alongside network and application penetration testing. The type of test agreed on by the organization and the testing firm will vary depending on several factors such as:
Budget
Scope of the engagement
Inside information provided by the organization
Although there may not be as many widely recognized frameworks specifically tailored for physical penetration testing, the methodology used in physical penetration testing draws upon the principles and practices established in network pen test frameworks.