Thursday
Room 2
13:40 - 14:40
(UTC+01)
Talk (60 min)
Social engineering pentesting. - How it is done, and what you should think about
If we look at the US, we see that testing the human element occurs more frequently in cyber security. In recent years, there has been an increase in phishing exercises in several organizations in Norway, and more and more people want to test the human element through physical pentests. In 2020, GoDaddy launched a phishing exercise targeting 500 employees, using a Christmas bonus as a lure. Those who failed the test were punished with an extra workload. This caught international media attention and begged the question: Is it morally sound to target people?
Over the years, pentesting humans leveraging social engineering techniques have become increasingly important to many organizations, and rightfully so. While many focus on the performance of a social engineering engagement, fewer deal with the post-engagement process. How do we deal with the results of a social engineering engagement? How does a target feel afterward knowing they have been duped, and who is helping them?
Taking care of those affected by social engineering engagements is pivotal in making an engagement a positive learning experience, and avoiding negative outcomes. If the post-engagement process were poor, and it turned into a blame-game, one could argue that the pentest itself was futile, as there would be no room for creating a learning environment.
A social engineering pentest puts humans (and not systems as seen in technical pentests), to the test. By doing so, the people affected can feel they have failed as humans and not just failed professionally. Distress, psychological strain, and self-blame are just some of the factors that can affect a human not being treated correctly in the aftermath of a pentest.
Together, we will take a deep dive into the processes of how a physical social engineering test is carried out by walking through a previous test and reviewing the tools that were used and what you have to think about before and after a social engineering test.
When we want to test the human element, it is easy to make mistakes and end up with dissatisfied employees or with a test where the results are not useful for the company. It is, therefore, important to evaluate what the desired value is from performing a social engineering test and to think about how it should be carried out.
This presentation seeks to highlight the possible pitfalls in handling the aftermath of social engineering engagements and explores various challenges and proposed solutions to problems that may arise. This will hopefully help companies make the right choices and ask the right questions before ordering a cyber security test of their employees.