Solved

some suggestions on Social Engrg tests

Posted on 2016-08-16
2
118 Views
Last Modified: 2016-08-17
Need some suggestions on some SOcial Engineering tests, esp ones for banking environment
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 250 total points
ID: 41757750
basically for banking environment a social engineering test is intended to manipulate bank staff into allowing unauthorised access to confidential information including customer profiles and transactions as well as business secrets of the bank. this aims to test the bank's security policy and their staffs adherence to that policy.

therefore some key points for the testers:

1. obtain the authorisation in writing from the management before doing anything.

2. make sure no bank staff (except the management) acknowledges the test. it should be a pure blind test, in order to check the actual conduct of bank staff and their procedures in use.

3. have a good understanding about the bank's business model, team structure, people and culture. this is very important for onsite and remote employee impersonation.

4. have well predefined scenarios and stories to make sound excuses or exceptions to bypass the bank's policy.

5. cover both onsite and remote engagement tests. be aware remote tests can be via phone calls, email phishing and third-parties.

6. details matter. make sure every little thing looks like real though probably everything is fake, from accent to uniform and from email wording to story telling.
0
 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 41758003
For banking specific, should have test on phished email revolving the context on
- Beware of Ransomware telling to install AV or special helpdesk service or mobile apps  
- Detecting Transaction Fraud such as increase limit or adhoc transfer from personal account,
- Identify CEO Fraud on authorisation,
- Identify HR or Finance Urgent Fund transfer,
- Reveal Red flag on online pay scheme like paypal asking account changes
-Verify Sensitive information for relogin to confirm of transfer originate from true source
- Verify Mobile PIN received on smartphone or token in web page link

Cjheck out more templates - https://blog.knowbe4.com/new-knowbe4-phishing-templates-a-summary-7/30/2016
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
The goal of the tutorial is to teach the user how to make an account for Skype and brief over view of all the options. There are three parts in this series.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question