Social engineering (SE) is a technique used by cybercriminals to psychologically manipulate individuals into disclosing sensitive information (passwords) and providing unauthorized access (downloading and executing malware files).
Penetration testers are tasked with simulating targeted attacks on a company’s system to determine any weaknesses in their environment.
It can be hard to practice pen tests on someone or an organization as it involves ethical and legal issues. The SE Pen Test Competition allows students to experience pen testing in a safe and ethical way.
Your team will be “hired” to conduct a social engineering penetration test on the CARE Lab and its (current) employees! Your pen test will include each of the three areas below. A strong pen test will demonstrate the effective connection of these three areas. Teams will submit a formal report of their findings and make security recommendations.
1. OSINT
Open Source Intelligence (OSINT) involves gathering information that can be “obtained legally and ethically from public sources” [1]
Research our Lab and our employees. You can use the CARE Lab site of course, but you are encouraged to use external information from regular OSINT (social media, news, etc.)
2. Vishing
The word ‘vishing’ is a combination of ‘voice’ and ‘phishing.’[2] Phishing is the practice of using deception to get you to reveal personal, sensitive, or confidential information [2]. However, instead of using email, regular phone calls, or fake websites like phishers do, vishers use an internet telephone service (VoIP) [2]. Impersonating a person or legitimate business to scam people isn’t a new thing [2]. Vishing is simply a new twist on an old routine. In fact, vishing has been around almost as long as internet phone service [2].
Try to get us to do something (extract information, send you a file/dataset, etc.) through your vish call. The only caveat is that you have to vish current employees about the work we do at our Lab! Anything else falls outside the vishing scope and will result in automatic disqualification.
3. Phishing
Phishing occurs when a target is contacted via email by “someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords” [3].
Try to get us to do something (extract information, send you a file/dataset, etc.) through your phishing. The only caveat is that you cannot include malicious links for us to click on (we will NOT click on these), but can convince us to do something (extract information, send you a file/dataset, etc.). Anything else falls outside the phishing scope and will result in automatic disqualification.
4. SE Pen Test Report
All pen testing teams will submit a formal report based on their findings. Teams will be provided with a template of the report that they should use.