Leeds 2nd July 2014, IT security management and compliance company, RandomStorm, has published a book explaining how organisations can perform structured tests to check for security vulnerabilities that are created by human weaknesses such as gullibility, pride and fear.
The book, “Social Engineering Penetration Testing,” was published by Elsevier on 30th June 2014 and is written for information security practitioners, network and computer system administrators and IT professionals. It portrays real life scenarios to help to train employees to recognise common social engineering tactics, to stop an attack in progress. Examples are provided showing how criminals have used phishing; telephone pre-texting and physical props to manipulate employees into divulging information, or performing activities on their behalf that compromise information security, or put physical assets at risk. Furthermore, the book provides detailed frameworks that enable organisations to assess how well a social engineering penetration test has been performed by their security auditor.
RandomStorm co-founder and technical director, Andrew Mason, was commissioned to write the book following a meeting with Elsevier at Infosecurity Europe last year. His co-writers are Richard Ackroyd and Gavin Watson, Senior Security Engineer and head of the RandomStorm Social Engineering Team.
At this year’s Infosecurity Europe show, Gavin Watson presented excerpts from the book, in the Business Strategy Theatre, to a packed audience.
Andrew Mason explains, “We have shared some of the social engineering pen testing techniques that we have successfully used at client sites to access restricted areas or sensitive information. Using the book’s examples, organisations can gain a much better understanding of the many ways that criminals employ social engineering. We walk you through the practical steps to improving defences in response to pen test results.”
Gavin Watson continues, “Too many times, social engineering pen tests will simply involve an auditor donning a high vis vest, or carrying a coffee cup and trying to blag their way past reception. What our book describes is how to develop a full risk framework that assesses every social engineering avenue that could be exploited by a criminal targeting your organisation.”
“We want to get away from just putting a tick in the compliance box and help organisations to genuinely improve their security through comprehensive tests that underpin policies, processes and training.”
- Elsevier: “Social engineering, penetration testing,” Gavin Watson, Andrew Mason, Richard Ackroyd, https://www.elsevier.com/books/social-engineering-penetration-testing/watson/978-0-12-420124-8
- Infosecurity Europe, Business Strategy Theatre, 1.20pm, 30th April 2014: “So you think your organisation is secure, think again. Social engineering, a view from the dark side,”Gavin Watson. http://www.infosec.co.uk/en/Sessions/4692/So-you-think-your-organisation-is-secure-think-again-Social-Engineering-a-view-from-the-dark-side
- Channel 4 Dispatches, 8pm Monday 14th May 2012, “Watching the Detectives,” Chris Atkins speaks to Gavin Watson about the problem of blaggers accessing personal identifiable data. http://www.channel4.com/programmes/dispatches/episode-guide/series-109/episode-1
- Raconteur, 21st March 2014, “People are ‘Wet’ with security,” Charles Orton-Jones talks to Gavin Watson about the human risk factor in information security http://raconteur.net/technology/people-are-wet-with-security
- The Data Protection Act 1998, Section 55, “unlawful obtaining etc., of personal data.” http://www.legislation.gov.uk/ukpga/1998/29/section/55
RandomStorm is a UK-based network security, vulnerability management and compliance company, focused on providing enterprise-level, proactive security management tools and services. RandomStorm’s experienced and certified security experts are able to offer customers a wide range of integrated world-class security vulnerability assessment and professional security services. Covering initial consultancy and gap analysis through to network and application testing, as well as managing client’s business compliance accreditation process, RandomStorm aims to work with organisations to ensure that their security investment is fully optimised on a 24/7/365 basis.
RandomStorm’s core products are supported by a range of complementary monitoring, alerting and remediation tools and services developed under the RandomStorm Open Source Initiative.
RandomStorm is a CESG CHECK security consultancy as well as a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV) for the Payment Card Industry Data Security Standard (PCI DSS). Please visit http://www.randomstorm.com for further information.