Human behavior is widely believed to be a weak link in the information security programs of most enterprises. The user aspect of security is often ignored in assessing a complete “current” snapshot of security. Bright Axis provides a complete offering including physical and email-based (popularly known as “phishing”) controlled social engineering attacks.
During a physical assessment, an authenticated Bright Axis consultant is engaged to penetrate the physical security perimeter using basic reconnaissance and information which is publicly available on the Internet as well as various social network websites such as LinkedIn, Facebook, and Twitter. Bright Axis consultants are provided with a “Get out of jail free” letter before-hand so that the knowledge of the assessment does not compromise the security of the perimeter in any fashion. The consultant gathers the information during the assessment such as photographs and noting the vulnerabilities observed during the course of the assessment. This information is later used in formulating the report of findings and recommendations. The report includes a complete walkthrough of the assessment providing the customer a first-person account of an attacker’s perspective in achieving physical access to corporate assets.
During a phishing review, Bright Axis uses various publicly-available information sources such as forums, social networking web sites or search engines to glean information about the email addresses belonging to an organization. Using carefully crafted and pre-approved phishing emails, the users are targeted and information is sought. This information is carefully, controlled and is not disclosed even to the project sponsors to avoid personal consequences on the targeted individuals. The results of such assessments provide deep insight into the effectiveness of the security awareness programs. Inputs from the social engineering assessment can be used to go back and customize and improve the content of the security awareness programs of the organizations.