Browse Definitions:
Definition

social engineering penetration testing

Contributor(s): Matthew Haughn

Social engineering penetration testing is the practice of attempting typical social engineering scams on a company’s employees to ascertain the organization's level of vulnerability to that type of exploit.

Social engineering pen testing is designed to test employees' adherence to the security policies and practices defined by management. Testing should provide a company with information about how easily an intruder could convince employees to break security rules or divulge or provide access to sensitive information. The company should also get a better understanding of how successful their security training is and how the organization stacks up, security-wise, in comparison to their peers. 

Social engineering testing may be conducted as part of more comprehensive penetration tests (pen tests). Like ethical hacking methods, the tests themselves generally replicate the types of efforts that real-world intruders use.

Physical testing, for example, might involve a tester trying to enter a secured building at a time when many employees are entering, perhaps talking on a phone and carrying multiple items to see if someone just holds the door open rather than adhering to the approved procedure of letting the door close after them so any person following must use an employee card or badge for entry. 

Phishing exploits, a common social engineering method, are often used to test employee vulnerability. Testers might send an email purportedly from someone in management asking the employee to open an unexpected attachment, provide sensitive information or visit an unapproved website.

A tester might call employees pretending to be someone in IT, providing them with new passwords and telling them to change their current passwords to the new ones. 

See Valerie Thomas' presentation on social engineering pen testing:

 

This was last updated in January 2015

Continue Reading About social engineering penetration testing

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

There's certainly not enough of this testing taking place today. Many people think their vulnerability scans using a free/open source vulnerability scanner is all that's needed. Those are often the people who end up here:
http://www.privacyrights.org/data-breach

Cancel
Do this. Do this A LOT. Do it regularly. I would even take the time to educate the C-suite folks about the importance of this. And make it tied to HR, bonuses, evaluations. If someone in your business is leaving the door open for thieves and data breaches, they should not be your employee. Test people and educate them.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if ...

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

  • audit program (audit plan)

    An audit program, also called an audit plan, is an action plan that documents what procedures an auditor will follow to validate ...

SearchSecurity

  • insider threat

    Insider threat is a generic term for a threat to an organization's security or data that comes from within.

  • ransomware

    Ransomware is a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is ...

  • hacker

    A hacker is an individual who uses computer, networking or other skills to overcome a technical problem.

SearchHealthIT

SearchDisasterRecovery

  • business continuity and disaster recovery (BCDR)

    Business continuity and disaster recovery (BCDR) are closely related practices that describe an organization's preparation for ...

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

SearchStorage

SearchSolidStateStorage

  • 3D XPoint

    3D XPoint is memory storage technology jointly developed by Intel and Micron Technology Inc.

  • RRAM or ReRAM (resistive RAM)

    RRAM or ReRAM (resistive random access memory) is a form of nonvolatile storage that operates by changing the resistance of a ...

  • JEDEC

    JEDEC is a global industry group that develops open standards for microelectronics.

SearchCloudStorage

  • Google Cloud Storage

    Google Cloud Storage is an enterprise public cloud storage platform that can house large unstructured data sets.

  • RESTful API

    A RESTful application program interface breaks down a transaction to create a series of small modules, each of which addresses an...

  • cloud storage infrastructure

    Cloud storage infrastructure is the hardware and software framework that supports the computing requirements of a private or ...

Close