6.8. Hands-On Lab
The lab in this chapter is as follows:
Lab 6.1: Test Social Engineering
6.8.1. Lab 6.1: Test Social Engineering
In this lab, you'll test your users to determine the likelihood of a social engineering attack. The following are suggestions for tests; you might need to modify them slightly to be appropriate at your workplace. Before doing any of them, make certain your manager knows that you're conducting such a test and approves of it:
Call the receptionist from an outside line. Tell them that you're a new salesperson and that you didn't write down the username and password the sales manager gave you last week. Tell them that you need to get a file from the e-mail system for a presentation tomorrow. Do they direct you to the appropriate person?
Call the human resources department from an outside line. Don't give your real name, but instead say that you're a vendor who has been working with this company for years. You'd like a copy of the employee phone list to be e-mailed to you, if possible. Do they agree to send you the list, which would contain information that could be used to try to guess usernames and passwords?
Pick a user at random. Call them and identify yourself as someone who does work with the company. Tell them that you're supposed to have some new software ready for them by next week and that you need to know their password in order to finish configuring it. Do they do the right thing?
The best defense against any social engineering attack is education. Make certain the employees of your company know how to react to the requests like these.