IT Examiner School

External Vulnerability Assessment

No findings were identified during the vulnerability assessment/penetration test phase of the audit.

Social Engineering Test

Social engineering tis defined of the natural human tendency to trust, with the goal of obtaining information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. The basic goals of social engineering are the same as hacking in general ; to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. Contingent utilizes two methods of “persuasion” tactics for Social Engineering testing: physical and psychological. The following information describes the activities we performed and what results were achieved, as reported by our Security Consultant.

Scenario #1: Phoned main number (555) 123-7642

“Posing as an A/R person for Local Market. I informed bank representative that I had a check from a customer drawn on their institution and that I needed to verify funds. The representative stated that they do not verify funds over the phone. I told her that I have the account number and check number and that I can not reconnect the customer’s services without verification. The representative me that I could fax the check to them at 555-123-2365 with the requested information and that only then could they verify funds.”

Scenario #2: Phishing email to 10 employees

“I sent an email to the ten selected employees that offered them a $25.00 Starbucks Gift Card if they would participate in a banking survey regarding their compensation package. Within the email, there was a link to click, which if clicked, would take them to a faux site that asked for their personal confidential information. It asked for their social security number, date of birth, network user ID, and Mother’s maiden name. Seven of the employees did not click on the link, one clicked on the link but didn’t enter any information, and two employees entered all requested information. Management should provide additional training to the employees who clicked on the link, especially the two that provided PII.

Scenario #3: Site Visit to North Branch

“Posing as an Energy Consultant from Excellent Energy, I introduced myself explaining that I was here to do a Lighting Evaluation under the company’s energy efficiency initiative. I had paper work which I had downloaded from Excellent Energy’s web site and a false ID Badge. The employee was concerned and asked a higher level employee if I was to be escorted in the facility at all times. I was allowed into the