Today, systematic perimeter security measures are much more robust. Therefore, hackers pursue any means possible to exploit vulnerabilities and attack targets in your company. Social Engineering is a technique in which intruders attempt to attack targets by exploiting vulnerabilities through the use of human intervention. Here are some commonly used examples: Bogus phone calls where the intruder claims to be someone in IT asking for passwords, etc. Piggy backing by following an authorized entrant walking through doors with physical security measures. The intruder easily enters the building and/or computer room by claiming to be an HVAC technician, etc. These are just some of the many techniques an intruder will use to exploit targets within your company. Our review will mimic those techniques used by hackers to socially engineer their way to targets through human and non systematic vulnerabilities. We will assess which departments, employees, and non systematic resources are potentially vulnerable to social engineering and the potential targets that could have been exploited. Companies will benefit by understanding their exposure to social engineering and educate their employees on this new and widely used hacking technique to protect company assets.
The Cadence Value
Proposition
With The Cadence
Group, you will
work with knowledgeable information security professionals.
We are experienced in performing penetration testing and all of our information security professionals hold CISSP certifcations (Certified Information Systems Security Professional).
Cadence works with
organizations seeking to capitalize on this
opportunity to truly affect change within their
organization's culture and support mechanisms.
Change requires real acceptance of
responsibility by business units for continued,
proactive assessment of information security risk and protection of information. To
deliver true change, we not only identify information security vulnerabilities, but
also focus cost effective countermeasures.
We further believe the keys to any
such initiative are management ownership and
flexibility. Ownership will help create
long-term success for the project and allow for
understanding and accountability within the
organization. Our flexibility allows you to
depend on us at any time during the project for
any needed assistance and to obtain the benefits
you require.
To provide
flexibility, we can perform the related tasks
necessary to complete each phase of the project
(outsourcing), we can coach you and your staff
on information security (advisory), or perform a
combination of each. We will work with you to
understand your business and information assetts you want to protect, timing
restrictions, budgetary constraints and desired
results to develop a solution that is right for
you.
Methodology
External Penetration Testing projects
projects are typically divided into five phases.
1.
Initial Consultation - The Cadence Group will meet with management to determine the assets the company is trying to protect. Based on this information, The Cadence Group will provide some initial information on which vulnerability assessments will provide the most value to achieving those goals.
2.
Project Initiation - Once management has determined the most effective way to assess their information security vulnerabilities, The Cadence Group will compose an engagement letter with a full disclosure agreement specifically detailing out the services to be provided and Cadence’s commitment to providing a full disclosure of all findings in the final report. Related Fees and a project budget will be provided.
3. Project Scoping and Planning - When management decides to initiate the project, Cadence will meet with management to map out a project plan which will include dates and times the social engineering penetration testing will take place and the methods of testing. The methods will also include a detailed description of each test that will be conducted. This will enable management to have full disclosure of the times and dates that Cadence will attempt to perform the penetration testing and complete knowledge of all tests to be performed. Management will have complete final say of the plan to ensure the safety and security of their network.
4.
Field Work - After management is comfortable with the approach, Cadence will begin field work testing. This will include a replication of the methods used by today’s social engineering hackers:
a.Physical Security: Attempting to bypass physical security measures by “piggy backing” or easily entering the facility/secure areas without a security badge. We will also test to determine if a laptop could be easily connected to an internal network port. (see internal penetration testing for more information)
b.Human Intervention: Using casual conversation or phone calls to exploit human vulnerabilities to obtain critical information that provides easy access to potential targets (i.e. user IDs, passwords, sensitive company data, etc).
c.Dumpster Diving: Searching through company trash to scan for any information that might aid in attacking the target.
5.
Reporting - At the conclusion of field work, Cadence will provide a full disclosure report on the results of each test that was initially approved by management. The second section of the report will include a detailed listing of all vulnerabilities identified during the review and the potential targets that could be compromised. This will also include a cost effective and reasonable approach to remediation of the vulnerabilities noted. A closing meeting will be held to discuss full disclosure of all the tests, findings, vulnerabilities and remediation recommendations.
 top
| 
