DTI Data provides many services to help aid individuals organizations in maintaining cybersecurity.
Penetration testing (also called pen testing) is the practice of testing a computer system, network or web application to find vulnerabilities that an attacker could exploit. Organizations should conduct penetration testing on a regular basis to ensure the stability of the network and help protect the infrastructure to protect it from outside attacks. In addition to testing the security of your network a comprehensive penetration test will assist your organization with adhering to compliance standards such as PCI, HIPAA, GLBA, etc. Annual testing will help to reveal vulnerabilities or hidden threats that can only be identified through in-depth testing. Penetration tests are also necessary whenever your organization reconfigures the network infrastructure or makes significant software, hardware or policy modifications. DTI Data uses advanced penetration testing techniques to test and identify weaknesses in the external security perimeter of the network. When vulnerabilities are identified, we will attempt to gain control of the vulnerabilities by obtaining access to, or control of, selected systems. Our goal is to determine if unauthorized access into the internal system is possible. We can perform both external and internal penetration testing and document any potential issues or threats.
Vulnerability assessments, also known as vulnerability analysis, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. Vulnerability scanning identifies top risks such as misconfigured firewalls, malware hazards and remote access vulnerabilities, and can be used for cyber security and compliance mandates. Systems and software will be evaluated for vulnerabilities that can result in issues with the security profile of the infrastructure. The list of possible vulnerabilities is endless but some of the most common issues can be found in outdated versions of software, misconfigurations, unsecure use of protocols, and anonymous access points. ulnerabilities within the infrastructure can provide attackers with unauthorized access to the system or provide them with the ability to inject malicious software into the environment. DTI recommends performing a vulnerability assessment while performing a penetration test so all possible issues can be identified and remedied.
Physical Security/Social Engineering
Social engineering is the manipulation of people into performing actions or divulging confidential information, it typically involves tricking people into breaking normal security procedures. The human component is known as “wetware” in the industry and is usually the main target of social engineering attacks. Some tactics employed involve appealing to people’s vanity, authority or greed but many social engineering exploits simply rely on people’s willingness to be helpful. For example, the attacker might pretend to be a co-worker who has some kind of problem that requires access to additional network resources. The employee wants to help and gives the attacker access to the network. The weakest link in any infrastructure are the users. Most of the time a user’s actions cannot me controlled or monitored until it is too late. DTI will attempt to execute a successful social engineering campaign that is designed to identify training deficiencies and policies or procedures that could allow an attacker to successfully compromise the organization. Even a single individual’s actions can result in the entire organizational infrastructure being compromised. Social engineering attacks can come in many different forms. Below is an example of some of the techniques that DTI may use to test for vulnerabilities.
Types of Social Engineering Attacks
- Pretexting: Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
- Scareware: Scareware involves tricking the victim into thinking his computer is infected with malware or has inadvertently downloaded illegal content. The attacker then offers the victim a solution that will fix the bogus problem; in reality, the victim is simply tricked into downloading and installing the attacker’s malware.
- Phishing: Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installs malware.
- Spear Phishing: Phishing’s more complex cousin, spear phishing is more of a campaign targeted at employees of a specific company that a cybercriminal is attempting to steal data from. The criminal will choose a target within the organization, and then do some research online about their target, gleaning personal information and interests from Internet searches and social media profiles. Once the criminal has a sense of their target, they will then start to send emails that seem personally relevant to the victim in order to entice them to click on a malicious link that hosts malware or download a malicious file.
- Baiting: Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware.
- Email Hacking and Contact Spamming: The theft of email addresses and passwords in order to take over an account. The attacker will then spam all of the contacts in the users’ address book. The main objective is to spread malware, trick people out of their personal data and more.
- Vishing: Vishing involves the most human interactions of all of these methods. The criminal will call an employee within a company posing as a trusted individual and try to fish for information from their targets. They may pose as a fellow employee that has lost their password and requests yours, or they may ask you a series of questions to verify your identity.
- Quid Pro Quo: Quid Pro Quo is something for something. Enticing the users with winning prizes or discounts on expensive products, this scam offers users “something” but only after they fill out a form that wants them to include their personal information. Then all of that data collected is used for identity theft.
- Tailgating: Tailgating is a physical social engineering technique that occurs when unauthorized individuals follow someone who is authorized into a secure location. The goal of tailgating is to obtain valuable property or confidential information. Tailgating could occur when someone asks you to hold the door open because they forgot their access card or have their hands full carrying something.
DTI recommends that organizations regularly carry out penetration tests and vulnerability assessments that include social engineering techniques. This will help administrators learn which types of users pose the most risk for specific types of attacks while also identifying which employees require additional training. Security awareness training is vital towards helping prevent social engineering attacks. It is important that your users have a good understanding of the most popular forms of social engineering techniques so that are able to identify them which will make your organization less likely to become victim to these attempts.