How to get creative with your penetration testing

Are your employees ready for whatever the hackers can throw at them? Try one of these tests

Pen test buildings
Credit: Thinkstock

While there are plenty of standardized methods for penetration testing that we're all familiar with, the bad guys aren't sticking to traditional methods for their attacks anymore. So it's time for the good guys to start thinking outside the box, too: here are a few creative methods to pen test your organization and see how well it holds up.

Newspapers
Credit: Thinkstock
The news-related email test

If your company has recently posted an announcement about a new partnership agreement, new insurance carrier, a new hire, a merger or other big news, use that as a pretense for phishing emails or phone calls. By referencing real news, the attack will seem more legitimate.

 

TIP: It doesn't have to be big corporate news, either. It could be an item in a local paper about an employee getting recognized, or even an individual employee's post on social media.

Travelling exec
Credit: Thinkstock
The traveling executive test

Create a fake email account that looks like it belongs to a high-level executive. Then, when the executive is known to be at a conference, send a panicked email to underlings demanding urgent copies of sensitive documents that the executive needs, right away, for presentations or client meetings.

 

TIP: When creating the fake email account, don't forget to include a real photo of the executive, to make it seem extra real.

Survey
Credit: Thinkstock
The fake survey test

Send out an email asking employees to take a survey such as how satisfied they are with their benefits, or where to hold the next company off-site.

 

TIP: Sweeten the deal by promising an iPad or iTunes gift cards to the first ten respondents.

Fake Wi-Fi
Credit: Thinkstock
The fake Wi-Fi test

Where do your employees like to go for coffee? Set up a wireless access point nearby and see how secure your systems are against someone hijacking these wireless communications.

Memory stick
Credit: bfishadow/Flickr
The memory stick test

Drop infected memory sticks around sensitive locations. Curious employees will pick them up and plug them in.

 

TIP: If the employees are getting too smart for this, send them sticks by direct mail, with personal notes pretending to be from trusted vendors or senior executives.

Computer repair
Credit: Thinkstock
The computer repair test

Call ahead and let employees know that an outside vendor will be coming by to pick up old drives, tapes and computers, for secure recycling. Follow up with emails to schedule the pickup time, and to let employees know how to check that the technicians are “real.”

 

TIP: Fake technicians can also be sent out to pretend to upgrade computer memory cards, install new VPN connections, upgrade antivirus software, or because a particular executive has complained about the computer being too slow, so someone will come out to “clean out the registry and speed it up.”

$100 bill
Credit: Thinkstock
The $100 bill test

Put $100 in your pocket and walk around a restricted area without a badge. The first employee who asks you where your badge is gets the $100.

 

TIP: It can feel impolite to ask a stranger who they are. Putting a positive spin on it helps employees get over the awkwardness while training them to be more vigilant.

Scanner
Credit: Thinkstock
Hack your scanner

All your company's computers are locked up tight, and your employees are vigilant – but what about all the other network-connected devices? See if you can get your scanner to grab copies of documents for you. Security cameras, thermostats, even vending machines can also have network access and connections to the outside. In the latest Target breach, the hackers reportedly came in through the vents – specifically, the third-party systems monitoring heating and cooling equipment.

Fingers crossed
Credit: Thinkstock
The long con

Over a period of months, develop relationships with key employees through innocuous interactions by email, phone, or casual elevator encounters. Then use that familiarity to provide assurances during a phishing or other attack. If the target is attractive enough, hackers will invest the time.

Phishing
Credit: Thinkstock
The fake-out

Tell company managers that you're running a penetration test and will be sending out phishing emails to the entire company. Explain the tactics you plan to use, and send the executives a link to the fake site you have set up to tempt their employees. Ask for their input about whether the site is realistic enough.