Social engineering survey for master thesis - Social engineering as a tool for testing computer systems security

Summary

Name and Surname
Pavol LuptákJayson E StreetEszter OrosziMartin PsarskyNick Drage
Company
Nethemba s.r.o.http://stratagem-one.com/kancellar.huESETFirst Defence
Your position
Security consultantCIOinformation security consultantSecurity ConsultantSenior Security Consultant
Practical experience
1412377
Link to your public CV
http://trip.sk/wilder/cv/cv-comprehensive.htmlhttp://f0rb1dd3n.com/author.phphttp://www.linkedin.com/pub/eszter-oroszi/45/ab6/906n/a
When you are doing social engineerig (SE) test, what types of SE attacks you do or perform most often?
no non-technical attacks yes technical attacks: phishing simulation, sms sender spoofing, caller id spoofingForged email Piggy backing entry Finding unsecured access doors Malware on USB A Hak 5 rubber ducky SET exploit pack on BT5impersonation, piggybacking, tailgating, phone attacks, dumpster diving, infected mails and phishingphishing vishing spoofed SMS removable media physical accessNon-technical: Onsite intrusion against offices Telephone based attacks against call centres General telephone based attacks Technical: Malicious attachments sent by email Very targeted malicious softwar...
Which ways/channels do you prefer to conduct SE attacks?
90% Internet channel, 10% telecommunication/mobile channel, 0% physical access/contactMine are mostly exclusively physical on site internet 90%, phone 5%, physical 5%Inet - 30%, telco + mobile - 20+20%, physical - 30%Internet channel: 30 Telecommunications channel: 10 Mobile channel: 10 Physical access/contact: 50
For each type of attack, mark the level of potential threat to security of a company. - Trashing/Dumpster diving
100%
2120%
3120%
4360%
500%
For each type of attack, mark the level of potential threat to security of a company. - Spying/Shoulder surfing
100%
2120%
3120%
4360%
500%
For each type of attack, mark the level of potential threat to security of a company. - Techie Talk
100%
2120%
3360%
4120%
500%
For each type of attack, mark the level of potential threat to security of a company. - Ten attack
100%
2120%
3240%
4240%
500%
For each type of attack, mark the level of potential threat to security of a company. - Piggybacking
100%
200%
3120%
4360%
5120%
For each type of attack, mark the level of potential threat to security of a company. - Phishing
100%
200%
3120%
4240%
5240%
For each type of attack, mark the level of potential threat to security of a company. - Pharming
100%
200%
3120%
4240%
5240%
For each type of attack, mark the level of potential threat to security of a company. - Caller-ID and SMS spoofing
100%
200%
3120%
4120%
5360%
For each type of attack, mark the level of potential threat to security of a company. - Road apples
100%
2120%
300%
4360%
5120%
For each type of attack, mark the level of potential threat to security of a company. - Whaling attack
100%
200%
3120%
4240%
5240%
For each type of attack, mark the level of potential threat to security of a company. - Mumble attack
100%
2120%
3120%
4360%
500%
For each type of attack, mark the level of potential threat to security of a company. - Vishing
100%
200%
3360%
4120%
5120%
For each type of attack, mark the level of potential threat to security of a company. - Reverse social engineering
100%
200%
3360%
4240%
500%
When you are assessing security of various companies, have these companies implemented security guidelines or rules which are directed to defend against SE attacks?
Don't know.10% have it 90% don'tYes, have rules - 70%not specifically against SE attacks, they usually have general rules for employees and if followed would provide some level of protection against SE attacks, no special rules or education regarding SE though, therefore 20-80%Have rules/guidelines - 40 Don't have rules/guidelines - 60 But I think our customers are above average for their industry sectors in general.
What are the most dangerous types of SE attacks according to your opinion?
SMS/CallerID spoofing Piggybacking Reverse social engineeringNew hire employees or Job applicant attack. Being polite and just walking in like you belong.All... :) But maybe phishing and impersonation.phishing, whaling, vishingThat's a difficult question to answer, as so much hinges on how you'd define "dangerous". To me it's the physical attacks against a company's premises, while they put the attacker at the moment risk that physical access can present the greatest danger to a company.
Google Forms
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit
Delete
Duplicate
Edit