ERE Information Security Auditors
Home | Site Map | Contact Us |  Resource Center
list of IT security and compliance audit steps
ERE Differentiators from other vendors

Social Engineering or Pretexting Audit

The goal of the social engineering audit or pretexting assessment is to identify flaws or gap in
security / compliance policy.  Pretexting uses low-tech set methods, perhaps nothing more than a pleasant smile accompanied by an innocuous request, which leads to unauthorized access to:

  • physical locations such as offices, computer rooms, telephone rooms, mail rooms.
  • unattended work stations.
  • highly confidential hard copy documentation. 

Impersonation either during a visit to an office location or on the telephone is used to manipulate unsuspecting employees into providing information or physical access.

Revelations of a Pretext Audit
Our clients gain a clear understanding of deficits in enforcing security policy and how to improve policy, in order to minimize the risk of incurring liability.  Audits have revealed:

  • Free access to personal privacy documents, highly confidential business documents.
  • Personal information about employees and their families.
  • Almost unrestricted physical access to premises, private offices, unattended but fully active work stations.

The evidence obtained during a social engineering audit, usually in the forms of photographs, documents retrieved from dumpster diving, and logs of misrepresented telephone and in-person conversations usually results in our clients to immediately improve employee training to more carefully and uniformly enforce compliance to policy.

Simple Pretext Methods

Invention false identities, without using names of existing third party organizations, validated with:

  • Business cards.
  • Phone numbers.
  • Web pages.
  • Impersonation: Wearing misrepresenting attire, such as telephone repair equipment, a hard hat, business suites, and pretend to represent a non-existent organization.

Surveilling the subject location to identify:

  • Schedules of cleaning staff, security staff, deliveries, mail, and clerical staff.
  • Access points and times when they are locked and unlocked.
  • Where garbage is stored, security monitoring garbage, and access to remove garbage.
  • Teaming of operatives, so that one can observe or distract while another can attempt to gain access.
  • Gathering compelling evidence with hidden video cameras and with still photograph cameras, collecting.
  • Records of highly confidential documents and material written on white boards.
  • A record of physical access onto the client’s premises.
There is never a need for ERE consultants to use heroic methods.  All our surveillance technology is readily available at local electronic stores.

Contact Us

905 764 3246

  Budgetary Price Quote
  10 minute scope definition call
  ROI Calculation for your next Audit 
  Sanitized Statement of Work
  Sanitized Audit Report
  Product Literature  
  White Papers and Published Articles
  Please see Ron Lepofsky’s book,
The Manager’s Guide to Web Application Security,
published by Apress Media

The Manager's Guide to Web Application Security is a concise, information-packed guide to application security risks every organization faces, written in plain language, with guidance on how to deal with those issues quickly and effectively.

Home | Technology Audits | Compliance Audits | Process Audits | Doc Audit/Authorship| | 7x24 Monitoring | Knowledge Transfer
ERE Differentiators | About Us | Site map | Contact Us | |   | Resource Center
Copyrights © 2007-2008. All rights reserved.  

   AddThis Social Bookmark Button