Security Awareness Testing

Email phishing remains the number one method attackers use to gain access to personal and organizational information due to the misaligned trust people have with the Internet and email and the anonymity it  provides the attacker. Email phishing attacks are becoming more creative and widespread, almost every organization has been the subject of an  attack at one point or another.

Our email phishing security awareness testing methodology ensures employees are properly adhering to organizational policies and procedures and prepared for "real world" attempts. We have developed a  comprehensive suite of phishing websites and email approaches to test employee susceptibility to email and website phishing attacks as well as  the logical controls designed to prevent unauthorized disclosure of sensitive personal or organization information.

Pretext calling (the practice of obtaining information based a pretext or fraudulent means) is an ongoing security risk for organizations. Pretext callers rely on people's inherent assistive or giving nature to solicit and use information to perform unauthorized  activities. Pretext callers use a wide variety of techniques to solicit information, such as:

• Using anger or harsh words
• Claiming to be a relative or friend of the person they are trying to get information about
• Claiming to be a debt collector
• Claiming to be law enforcement or a government agency
• Claiming to be an employee of the organization
• etc.

An often asked question is, "What constitutes protected  information?". While the answer may seem simple (customer social  security numbers, bank account information, etc.), pretext callers can use seemingly innocuous information to help build and prepare for larger scope attacks. For example, a pretext caller may query employees about security controls or computer configurations to help facilitate a computer or electronic information attack.

Our security awareness testing methodology employs current pretext calling techniques to ensure employees are properly adhering to organizational policies and procedures and prepared for "real world" pretext calls. Security awareness testing also evaluates the internal security awareness training program for appropriateness and adherence to regulatory requirements.

The physical and logical security provisions organizations employ to protect locations and sensitive, while extremely important, are only one piece of the security puzzle. The most important piece of the puzzle remains the employee. Every cypher lock, deadbolt, keycard/fob reader can be bypassed by a cunning intruder using an employee's willingness to be helpful. Location visits evaluate administrative and physical security provisions used to restrict access to sensitive areas and  information. Generally, L3 Solutions personnel masquerade as legitimate  employees, vendors, etc. and attempt to gain access to restricted areas and information (data closets, filing rooms, storage areas, etc.).

Our security awareness testing methodology ensures employees are properly adhering to organizational policies and procedures and prepared for "real world" attempts to gain access to restricted areas and information. Security awareness testing also evaluates the the internal security awareness training program for appropriateness and adherence to regulatory requirements.

Securing information after hours is an overlooked aspect of security awareness training. Most organizations have policies and procedures for securing hard copy and electronic information when left unattended both during business hours and after; however, ensuring these policies and procedures are followed is usually difficult for organizational personnel (internal audit or security staff) due to a lack of experience performing such tests, additional resource expenditure, and the feeling of privacy invasion.

Our after hour security awareness testing methodology ensures employees are properly adhering to organizational policies and procedures and prepared for "real world" attempts to gain access to  restricted areas and information. After-hours walkthroughs evaluate employee security awareness training and physical security controls for protecting sensitive areas and information. We perform detailed after hour inspections of non-public work areas to ensure the implementation and use of physical security controls and compliance with established policies and procedures designed to protect sensitive work areas and information.