To phish, or not to phish…
Prior to engaging in a penetration test, one consideration each organization needs to make is whether or not they would like to make phishing in scope.
Phishing is the act of sending fraudulent emails that appear to be legitimate in an attempt to coerce a user into revealing sensitive information. A simple example of this could be an email with Facebook branding requesting a user to login via a link provided within the email. Rather than the link taking the user to Facebook, it takes the user to a website that looks like Facebook that actually steals the users login and password when they attempt to log in to what they believe to be Facebook.
Many attackers will often take the path of least resistance when trying to break into a network. Sending users phishing emails is often the easiest way to get “beyond the firewall”. Once an attacker has breached the perimeter of the network, in many cases the security is much more lax and they can move around from machine to machine with little resistance. Targeting non-tech savvy users to click on a link or attachment is the easiest way to get inside a network. As such, this is often a method employed my penetration testers to breach a network perimeter.
Some organizations are phishing-adverse during penetration tests — a subset of these organizations will choose to run their own phishing education campaigns, and some will not. Some organizations choose not to allow phishing during penetration testing engagements because they don’t want to shame or embarrass the user(s) responsible for clicking on a link they shouldn’t have. In those cases, we can simulate that someone has clicked a malicious link or attachment and then test whether or not we can completely compromise the entire network. Whether or not you choose to allow us to run phishing campaigns on your network, we believe it is an essential risk that needs to be addressed with your IT staff and your users as many security professionals believe that “phishing always works”.
If you have questions or you’d like more information please feel free to contact us and we’d love to help you.