Social Engineering and Physical Security Assessment

Social Engineering and Physical Security Assessment

Social Engineering and Physical Security Assessment services are designed to measure “human factor” and physical controls in an organization’s information security program.

Social Engineering attempts to use human interactions, for example diffusion of responsibility, trusted relationship, moral duty, identification and cooperation, to obtain sensitive information or system access from employees or vendors. Social engineering is often used to rationalize or prove the effectiveness of a security awareness program. 

Access to client personnel is most often attempted by the following real-world threats:

Telephony

  • An external assessment conducted from an outside line 
  • An internal assessment conducted from a line or extension from within the company

Phishing

  • Email Phishing: simulating a malicious email, attachment or link connecting the system to a site that NTT Security has developed in order to persuade the user to interact and divulge information. Custom payloads can also be set to execute upon landing. 
  • Device Drop: the placement of a USB thumb drive at an organization's facility containing a simulated malicious payload set to AutoRun. 

Physical Pretexting

  • Employee, staff or vendor impersonation
  • Physical security control analysis and attempted bypass (e.g., tailgating or access lock manipulation)
  • Dumpster diving