Pentesting the People; social engineering is an easy vulnerability
When it comes to penetration testing of an enterprise, you instantly think about all the cool tools and tactics used to enumerate the target and locate a possible vulnerability that could be exploited to gain entry to that enterprise’s internal network. Have you ever thought about one of the biggest possible vulnerabilities that control the front doors of your enterprise? People. Every pentesting engagement should include some sort of physical and social engineering aspect. You can have the strongest perimeter in the world, but if your physical security team or the people manning your phone systems are susceptible to a social engineering attack, you can get breached very quickly.
Pen test or Red team?
The biggest difference between a pentest engagement and a red team exercise is the knowledge of the event happening. You can have social engineering attacks within a pentest, but they may not be as effective as an engagement where the receiving party does not know they are coming. Usually with a pentest, you set up rigid rules of engagement, including a well defined scope and timeline. With a red team test, the rules are basically, "break no bones, break no glass." That is why red team exercises are a great way to really test your security team’s posture without actually hurting people or causing any real damage.
When you look at overall enterprise risk, you will find that people are always the biggest liability. That is why it is imperative that you test their knowledge and experience with cyber threats on at least a yearly basis. When conducting a risk assessment, you will generally find that physical security and social engineering always seem to be points of contention. It is hard to isolate social engineering as it can come from anyone and be delivered to anyone at any time, with an infinite number of outcomes.
Ideally, you should have your risk assessments drive the need for pentesting and/or red teaming. If it is identified as a high risk that client-facing employees may be socially engineered over the phone to provide an external entity unprovisioned access, then setting up pentesting engagements should be in your budget to better defend your enterprise for the future. The best way to really seal the deal on being proactive to social engineering is to conduct an ongoing security awareness program within your company. This should include topics like phishing, piggybacking, unauthorized personnel, and clean desk sweeps. By consistently having these policies tested, you are forcing your employees to consciously think about security more and more. From there, you can only hope that they will do the right thing should they be encountered with an external (or internal) party that has malicious intent.