Solved

some suggestions on Social Engrg tests

Posted on 2016-08-16
2
91 Views
Last Modified: 2016-08-17
Need some suggestions on some SOcial Engineering tests, esp ones for banking environment
0
Comment
Question by:sunhux
2 Comments
 
LVL 37

Assisted Solution

by:bbao
bbao earned 250 total points
ID: 41757750
basically for banking environment a social engineering test is intended to manipulate bank staff into allowing unauthorised access to confidential information including customer profiles and transactions as well as business secrets of the bank. this aims to test the bank's security policy and their staffs adherence to that policy.

therefore some key points for the testers:

1. obtain the authorisation in writing from the management before doing anything.

2. make sure no bank staff (except the management) acknowledges the test. it should be a pure blind test, in order to check the actual conduct of bank staff and their procedures in use.

3. have a good understanding about the bank's business model, team structure, people and culture. this is very important for onsite and remote employee impersonation.

4. have well predefined scenarios and stories to make sound excuses or exceptions to bypass the bank's policy.

5. cover both onsite and remote engagement tests. be aware remote tests can be via phone calls, email phishing and third-parties.

6. details matter. make sure every little thing looks like real though probably everything is fake, from accent to uniform and from email wording to story telling.
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41758003
For banking specific, should have test on phished email revolving the context on
- Beware of Ransomware telling to install AV or special helpdesk service or mobile apps  
- Detecting Transaction Fraud such as increase limit or adhoc transfer from personal account,
- Identify CEO Fraud on authorisation,
- Identify HR or Finance Urgent Fund transfer,
- Reveal Red flag on online pay scheme like paypal asking account changes
-Verify Sensitive information for relogin to confirm of transfer originate from true source
- Verify Mobile PIN received on smartphone or token in web page link

Cjheck out more templates - https://blog.knowbe4.com/new-knowbe4-phishing-templates-a-summary-7/30/2016
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Viewers will learn how to use the Hootsuite Dashboard.
This Micro Tutorial will give you a basic overview of Skype through its settings, interface, and features.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question