Security Services

Social Engineering Assessment

Human are the weakest link in the security chain. They are facing threats on a daily basis from phishing emails, to social engineering calls and very often, have little or no knowledge that would help them identify the danger.

No matter which technical and physical security controls you have implemented, the security of your infrastructure and network comes down the ability of your employees, contractors or vendors to recognize such attacks, and not fall for such traps.

Hackers know these alarming facts, which is why humans are their first target. Cybercriminals use sophisticated social engineering techniques to persuade and manipulate people to gain access to your internal networks and sensitive information.

Assessing your employees’ readiness to identify and withstand Social Engineering attacks should be a key part of your organization’s security program.

Wizlynx Social Engineering Assessment

Our services rely on highly skilled security professionals and penetration testers with extensive experience, in both defense and offense, to create realistic phishing scenarios. The goal of our service is not only to assess your employees’ readiness to withstand common phishing attacks, but more importantly, target and spear-phish attacks that have a high impact on your organization. wizlynx group presents Phishlynx, an in-house developed solution to assist us during Social Engineering Assessments.

Our Social Engineering Assessment Services

Email Phishing with Website Mirroring

Consists of sending a phishing email with the attempt to fool your users in providing sensitive information, such as username and password on a mirrored website which look extremely similar as the real website.

Email Phishing with Attachments

Consists of sending a phishing email with the attempt to fool your users in opening an attachment (e.g. XLS file) and enable VB Macro.

Email Phishing with Hyperlinks

Consists of sending a phishing email with the attempt to fool your users to click on a link.

Email Phishing with File Download

Consists of sending a phishing email with the attempt to fool users in downloading potentially malicious files from an attachment (e.g. XLS file) and enable VB Macro.

USB Drop

Consists of leaving your USB keys containing files in strategic places, such as meeting rooms, toilets, parking lots, etc. in the attempt to trick users to connect the USB drive and opening potentially malicious files.

Voice Phishing (Vishing)

Consists of using social engineering techniques over the phone to trick your users into providing sensitive information such as username, password, access to the victim’s computer, etc.

Staff Impersonation & Physical Security Controls

Consists of various attempts to gain access to specific locations, unauthorized physical network access, baiting, tailgating, dumpster diving, USB drops, etc.

Our Social Engineering Methodology

wizlynx group Social Engineering Assessment is usually executed in three phases:
Reconnaissance & Planning
  • Threat analysis and definition of audit objectives
  • Target reconnaissance
  • Creation of the script and time plan
  • Preparation of the attacking plaform
Execution
  • Email phishing attacks
  • Vishing attacks
  • USB key drop attack
  • Evaluation and interpretation
Reporting
  • Overall evaluation and documentation of results, including detailed statistics
  • Risk assessment
  • Report preparation & recommendations
  • Debriefing

Reconnaissance & Planning

The following tasks will be carried out during the reconnaissance and planning phase:

  • Compilation of the attack scripts, detail planning and review of the attack method
  • Selection of information and access type to be acquired (e.g. employee id, login/password, access to HR system, etc.)
  • Definition of scope, target, go/no-go tasks and zone
  • Selection of customer’s employees that will be targeted
  • Reconnaissance of information about organization, people, gossip, weaknesses, internal problems, profiling victims, etc.
  • Preparation of the attacking platform and tools (e.g. registering domains, mirroring websites, tracking scripts to generate statistics, attachments, fake malwares, etc.)

Execution

This central phase consists of the effective execution of test that are defined upfront and agreed to.

If wizlynx group discovers serious gaps and weaknesses, the customer will be informed immediately so that any emergency measures can be implemented in a safe and timely manner.

Results Analysis & Reporting

The following tasks will be executed in this phase:

  • Overall evaluation and documentation of results that include all employees disclosing sensitive information and granting access
  • Review and quality check
  • Preparation of the report with evaluation and recommendations

Weaknesses and significant risks to Information Security (the "human factor") will be interpreted, evaluated and judged.

All findings will be documented in the final report and compared with a strengths/weaknesses profile against the international standard for IT Security ISO 27001. The identified weaknesses will be assessed and supplemented with recommendations and remediation actions, as well as prioritized according to the risk associated. The final report will be discussed during a presentation with the customer. The report will include a comprehensive and meaningful C-level summary of the executed Social Engineering Assessment. It will also include all detailed results with respective evidence and recommendations for future security measures based on the results.

Our Certifications

wizlynx's security analysts and penetration testers hold the most recognized certifications in cyber security and penetration testing such as: GIAC GPEN, GWAPT, GCIH, GMOB, OSCP, CEH, CISSP, CISA and more!

Top