IT Risk Advisory Services

KPMG Tancsad Kft.

Social Engineering Audit and

Security Awareness Programme

Every chain is as hard as its weakest link, and in for information security this chain-link is often
human factors. Employees often have direct access to protected assets, making them the
most obvious target of those with malicious intent for gaining access to sensitive information.
If they by-pass security controls via Social Engineering methods, such potential attackers
are able to base their attacks on a lack of user awareness.
Every enterprise possesses secure data, whose illegal publication or modification can result in
negative consequences for the business. Typically, employees do not know enough about Social
Engineering tricks and techniques and are unaware that they could unwillingly help an attacker with
seemingly unimportant information. Taking these phenomenon into consideration, identification of
the human risks, assessing the awareness level of the organisation and implementation of a security
awareness programme are significant challenges.

How can we help?

KPMGs IT Risk Advisory group offers inadequately implemented security
several services to improve the security countermeasures and ineffective
awareness level of organisations. controls. The audit findings can be
We have effective and efficient used towards the modification of the
methods to test and assess the enterprises current information security
awareness of employees and improve regulation and its implementing new Assessment of Security
it according to objectives defined from countermeasures. Out of necessity, security awareness awareness
level Social training
identified deficiencies. We recommend the Security Awareness Programme is
Engineering audit
implementing a security awareness based on an awareness training, which
programme as follows. should be repeated yearly, and, lastly,
upon an awareness campaign, which
First, we suggest the assessment of
is designed to help maintain vigilance Security
the current level of user awareness
regarding the subject. awareness
and effectiveness of security controls,
campaign
which can take place via use of our Read more about our Security
Social Engineering Audit Programme. Awareness Services in the
The results of this project comprise following summary.
identified awareness deficiencies,

2013 KPMG Tancsad Kft., a Hungarian limited liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. IT Risk Advisory Services / KPMG Tancsad Kft.
All rights reserved.
Assessment of security awareness level Social Engineering Audit

Social engineering is a collection of attack methods and The best method to measure security awareness of an
techniques, which exploit the deficiencies of user awareness. organisations employees is to perform a Social Engineering
Illegal access to sensitive information, data leaks or other Audit. In the course of this project the current security
security breaches could be based on employees not knowing controls will be tested by testing human factors. Below is
the contents of security policies, or not observing the rules. an outline of the tasks of our audit programme based on the
Technological solutions do not provide complete security most frequent attack types and the most common security
against Social Engineering attacks; the only one effective awareness deficiencies.
countermeasure is the improvement of security awareness.

Possible tasks of a Social Engineering audit

Gathering basic information for attacks Dumpster diving

Social Engineering attacks based on information gathered Dumpster diving is a method of gathering sensitive data
about the targets: the company and its employees. from an enterprises waste bin. By checking the contents
For this reason the first step of our audit (as in the case of the trash we can gain evidence on the usage of
of a real attack) is the gathering of all available public containers collecting sensitive documents or shredders,
data on the Internet: e-mail addresses, phone numbers, and how employees have applied security classification of
organisational charts and other information that a potential information to this waste.
attacker can use to their benefit.
Field inspection
Facility intrusion In case of a field inspection we make a supervised visit
The purpose of this task is to test how an attacker might to an enterprises facilities to inspect how the companys
enter into a building or offices of the enterprise illegally and employees observe security rules and policies.
how can he/she could bypass entrance security controls. Are their computers locked if they leave them unattended?
Do they leave sensitive documents on their desks
Attacks within the facility unguarded? Do they retrieve printed documents or are
After a successful illegal intrusion into an enterprises these forgotten in the tray of the printer?
building we will inspect possible vulnerabilities which
emanate from human factors, i.e.: What kinds of devices Phishing
and information can we access in an empty office and The purpose of phishing attacks is to test users reaction
what could be done with them if we were people with to messages sent via e-mail or other communication
malicious intent? As part of this test we may steal channels, which, at first sight, appear to emanate from
notebooks or other devices, install programmes that their workplace. Such communications request the
simulate keylogger software, copy sensitive information divulging of sensitive information like user IDs and
to a pendrive, or we might even install a wireless network passwords.
device to be able to access the companys internal
Spreading malware via e-mail (attachment or link)
network outside of the office.
In this task we send to all employees of the enterprise
an attached file (PDF, Excel, Word document or even an
Impersonation via telephone
executable file), or a link to a website which simulates a
Attacks via telephone involve our auditor impersonating a
malicious code, and we measure how many users open
fictive employee of the organisation or one of its partners
the content and/or click-through.
in which he/she asks the target to send a sensitive
document (assigned before starting the project) via e-mail Baiting
to outside of the organisation, or he/she persuades the Baiting happens when we lose some pendrives or CDs/
employee to disclose his/her password. The result of DVDs in the clients office building and observe what the
this audit task is to assess the ability of users to filter companys employees do with them. All of these storage
suspicious questions and requests, test how employees devices contain an executable file which tracks if someone
ascertain the callers identity and determine that they are opens it. This enables us to ascertain how users mind the
aware of the sensitivity of requested information. rules and recommendations of handling lost data travelers.

Based on these audit tasks we offer several audit packages

containing customised, organisation-specific audit scopes
to enable selection of the most suitable audit programme for
your company.

2013 KPMG Tancsad Kft., a Hungarian limited liability company and a member firm of the KPMG network of
IT Risk Advisory Services / KPMG Tancsad Kft. independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity.
All rights reserved.
Security awareness training

After identifying security weaknesses emanating from

human factors, the organisation can determine the Training levels
requirements of security awareness, followed up by training
for employees. Its purpose is to inform colleagues about
the security policies and rules of the organization and the All users
necessity of observing them, as well as creating awareness A general security awareness training represents
of threats and attack types which target users. Deficiencies threats and vulnerabilities concerning all employees
and weaknesses identified by a Social Engineering Audit of the company. Training material contains the most
can be useful examples for the training to demonstrate the typical attack techniques and prevention methods.
relevance of these risks.
According to the most frequently experienced security Management
awareness weaknesses and deficiencies, our Awareness Management training is more specialised and focussed
Training contains a review of the types of attacks which on the demands of chief officers. Training is based on
exploit human factors (for example, physical intrusion, general awareness knowledge but contains specialised
mystification, phishing, malware and other Internet risks) risks which cause concern for management (for
and how to mitigate the risk of these potential dangers. example the security of mobile devices) and methods
It also interprets the companys related policies and rules as to how they can motivate colleagues in improving
and transmits organisation and position-specific security awareness attitudes and/or behaviour.
knowledge.
We recommend establishing our Training Programme at IT operation
three levels: separate trainings for all users, for management Employees working as IT operator or system
and for the IT function. Specified training materials support administrators bear a higher level of security awareness
participants in recognising the relevant threats and related than other users. Accordingly, they receive a shorter
security countermeasures. general security awareness training and the training
material prepared for them will contain specialised
When a Social Engineering project is performed before
topics for IT operation like the basics of operation
security awareness training, trainings might rely upon test
security, network security and business continuity.
methods and their results. Simulated attacks are the best
examples to draw the attention of employees to the reality
and relevance of such threats. According to our experience,
participants can acquire awareness knowledge more
effectively if attack methods are demonstrated through the
results of a Social Engineering Audit.

2013 KPMG Tancsad Kft., a Hungarian limited liability company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. IT Risk Advisory Services / KPMG Tancsad Kft.
All rights reserved.
Security awareness campaign
Beyond assessing the level of users security awareness and periodically organised
awareness trainings, it is also important to sustain employees awareness.
The most effective method to achieve this is to organise a campaign, which can
help remind employees every day of the most important security concerns.
Possible elements of the campaign:
A fictional character or comic book-like series containing motivating messages
Posters in the office promoting security awareness
Screensavers highlighting human factor threats
Monthly newsletters
Tests, exercises and games.

KPMGs Security Awareness Services are implemented according to our

methodology based and tested on numerous successful Social Engineering
Audits and information security training. During the course of such projects
we have acquired a substantial knowledge base on organisation-specified
security awareness weaknesses and deficiencies, which can be used
to plan the most suitable security awareness assessment and training
for your company.

Contact

Gyrgy Sallai
Director The information contained herein is of a general nature and is not intended to address the
T: + 36 1 887 6620 circumstances of any particular individual or entity. Although we endeavour to provide accurate
and timely information, there can be no guarantee that such information is accurate as of the
E: [email protected] date it is received or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the
particular situation.
kpmg.hu
The KPMG name, logo and cutting through complexity are registered trademarks or
trademarks of KPMG International.

2013 KPMG Tancsad Kft., a Hungarian limited liability company and a member firm of the
KPMG network of independent member firms affiliated with KPMG International Cooperative
(KPMG International), a Swiss entity. All rights reserved.