Stephanie Carruthers, People Hacker for IBM- X-Force Red wrote an excellent post about the need for red-teaming and pentesting your own organization. I'll quote the first paragraph or so, and you should read the rest of the article, it makes an excellent point for the need to "hack your employees" and assess the strength of your human firewall!
"It was one of the highest phishing rates I had ever seen: Almost 60 percent of employees clicked the malicious link. Yet the client, a chief information security officer (CISO) of a Fortune 100 company, asked a question that caught me completely off-guard.
“So what?” he said, clearly unimpressed.
As a “people hacker” for X-Force Red, IBM Security’s team of veteran hackers, I’ve performed social engineering exercises for companies around the world. There seem to be a lot of misconceptions about my job and the usefulness of social engineering assessments in security audits.
Confronted with that CISO’s indifference, I tried to explain exactly how serious our findings were and what the consequences might mean for the business.
During this assessment, my team started off by getting several payloads through the company’s email filters undetected. We identified that only two of the 300 employees reported the phishing email.
The incident response (IR) team didn’t start its investigation until two days later; during those two days, we managed to infiltrate some of the legal team’s email accounts, where we discovered that the company was the target of a lawsuit that wasn’t yet public. If that lawsuit were to leak, it could significantly hurt the company’s reputation.
Additionally, by reusing some of the passwords we had compromised, we were able to log in to multiple employee payroll accounts, where we had access to direct deposit information — again, undetected. A criminal attacker could have changed direct deposit account numbers to siphon funds from employee paychecks.
My answer seemed to surprise the CISO and his team. In the end, they acknowledged that I provided a lot more information about their security posture than they expected to receive from the assessment."
Here is a link to the rest of the post.
A motivated attacker with sufficient resources can practically always make it into a network. Paying for a pentest which includes social engineering is a great way to identify holes in your human firewall. Here are two excellent "shortlist" suggestions to ask for a quote:
IBM's X-force Red:
Mitnick Security (have a 100% success rate if social engineering is allowed as part of the test)
And how to dramatically strengthen your human firewall? New-school security awareness training of course!