Solved

some suggestions on Social Engrg tests

Posted on 2016-08-16
2
59 Views
Last Modified: 2016-08-17
Need some suggestions on some SOcial Engineering tests, esp ones for banking environment
0
Comment
Question by:sunhux
2 Comments
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 250 total points
ID: 41757750
basically for banking environment a social engineering test is intended to manipulate bank staff into allowing unauthorised access to confidential information including customer profiles and transactions as well as business secrets of the bank. this aims to test the bank's security policy and their staffs adherence to that policy.

therefore some key points for the testers:

1. obtain the authorisation in writing from the management before doing anything.

2. make sure no bank staff (except the management) acknowledges the test. it should be a pure blind test, in order to check the actual conduct of bank staff and their procedures in use.

3. have a good understanding about the bank's business model, team structure, people and culture. this is very important for onsite and remote employee impersonation.

4. have well predefined scenarios and stories to make sound excuses or exceptions to bypass the bank's policy.

5. cover both onsite and remote engagement tests. be aware remote tests can be via phone calls, email phishing and third-parties.

6. details matter. make sure every little thing looks like real though probably everything is fake, from accent to uniform and from email wording to story telling.
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41758003
For banking specific, should have test on phished email revolving the context on
- Beware of Ransomware telling to install AV or special helpdesk service or mobile apps  
- Detecting Transaction Fraud such as increase limit or adhoc transfer from personal account,
- Identify CEO Fraud on authorisation,
- Identify HR or Finance Urgent Fund transfer,
- Reveal Red flag on online pay scheme like paypal asking account changes
-Verify Sensitive information for relogin to confirm of transfer originate from true source
- Verify Mobile PIN received on smartphone or token in web page link

Cjheck out more templates - https://blog.knowbe4.com/new-knowbe4-phishing-templates-a-summary-7/30/2016
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
The goal of the tutorial is to teach the user how to block contacts and manage the block contact list.
This Micro Tutorial will give you a basic overview of Skype through its settings, interface, and features.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now