Special Security Services
Social engineering, as well known, is the art of manipulation and has been successful since ages to deceive people in divulging confidential information. Social engineer targets “People”, the weakest link in PPT (People, Process and Technology) and hence physical and logical security barriers remain of not much use. Users who have access to sensitive information are often the root cause of the data loss.
The objective of the social engineering service is to identify the medium and mechanism for data disclosure and perform complete risk assessment through a systematic approach to enable organizations in achieving the targeted compliance needs.
Varutra offers following types of testing services to secure organization from the possibilities of data compromise through deception, technical or human errors:
Passive internet exploration such as company website, search engine results, social networking sites and DNS records to find company and employee information. This information typically comprises of a personnel’s email id, contact information, location of work, job titles, employment history, and much more.
Such information will be used while conducting more advanced attacks such as
Telephonic social engineering – targeting employees by making fake calls by impersonating someone known and try to gain sensitive information from users.
Email attack – this is a controlled and customized spear phishing attack involves sending mails with malicious links to users and try to attract them to click on those links to collect sensitive information and/or carry out malicious activities on user’s browser and/or organization network.
Physical Security Testing – Varutra consultants will use information collected in the passive scanning to target organization’s physical sites. The activity involves bypassing the physical security controls to gain access to the floors and sensitive areas including data centers. Consultant will try to social engineer security personnel, employees, tailgating through various entries and exits, posing as a vendor, guests to reach to the departments, steal confidential documents, etc. This activity is not limited to bypassing building access control but can involve accessing LAN Jack access controls and WIFI access controls to gain network access.
Dumpster Diving– Going through the disposed documents, dustbins to collect sensitive data.
USB Drop activity– Creating malicious USB drives and other portable media and drop them at various places in the organization. Collect the details of users who connect these USB’s.
- Assessment of preparedness against impersonation attacks.
- Assesses the probability and consequences that may occur due to gaps in physical security.
- Onsite and offsite testing to cover threats from internal and external perspective.
- Helps in improving information security awareness program across the organization.
Due to an organization's reliance on email and Internet connectivity, there is no guaranteed way to stop a determined intruder from accessing business network. Phishing is a form of Social Engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate user's confidential, financial data or sensitive credentials by pretending as a legitimate user. There are many types of Phishing such as:
- Spear Phishing
- Phone Phishing
- Clone Phishing
- Web Based Phishing
The objective of the Phishing Diagnostic Service provided by Varutra is to assess the risk associated with an organization with respect to its public, social presence in the form of people, process and technology. There are many ways to protect an organization from technology related attacks but still the insecurity associated with 2 P's i.e. Process and People; lack of which may lead to severe security consequences. Varutra manages to reduce the risk by the Phishing diagnostic service and minimize the security related issues, which can have business impact on the organization.
- Helps organization understand the behavioral response of employees and preparedness against impersonate attacks.
- Reduce overall security risks arise from Phishing attacks by protecting organization's social and public presence.
- Helps in improving the information security in organization through awareness program.
- Prevention from Reputational loss, financial loss and remediation cost due to phishing attacks.