This entry encompasses the summary of how effectively social engineering exploits the quirks, or flaws, of the human brain, and provides some defense advice.So, in reality these are just tricks that statistically increase the odds of compliance (see right-hand image). And they’re obviously not going to work every time. Who’s played DayZ? One, two, people know what I’m talking about. Anyone that has played DayZ seriously knows that it’s perhaps one of the greatest psychology experiments, or “should-be” psychology experiments in the world, because basically you start off, you’ve got nothing, and there are zombies everywhere, and they are insane, and it’s a fight for your life.
And so when you meet someone else that’s also in that fight for their life, the psychology of how you cooperate is influenced by who gets the gun first – it’s ridiculous. And so, people will often yell: “Hey, I’m friendly, I have supplies,” and unwitting survivors will come in and sneak into the building, waiting for the zombies, and then all you hear is a gunshot. I can’t count the number of times that’s happened, but it’s such a funny game.
This stuff won’t always work, because the magical word isn’t going to work 100% of the time. You can’t just say: “I need to fix stuff, so let me in the server room because I need to fix stuff.” I mean, it may actually work. If you ever do that in your life and it works, I’ll buy you a beer. That would be so awesome. It’s also definitely not going to work if you say: “Remember how you gave me a raise last week? Well, it’s about that time again” – to try and exploit the consistency flaw of the human brain. It’s definitely not going to work.In reality, however, social engineering is usually the easiest way to get into a system to gain access to a network (see left-hand image). If you see the vast majority of breach reports and penetration reports, you’ll see that there are some aspects of spear phishing or social engineering that are always exploited somewhere in that attack chain, and it actually worked quite well and exposed way more information or access than it should have. And this is why post-exploitation spear phishing works so well: “Hey, I’m the CEO, could you give me my username and password to the system – I completely forgot, I’ve been drinking too much over in Vegas” or something.
And so, there are actually technical toolkits to augment your social engineering tactics. Social-enginner.org is related to the Metasploit offensive security project, and they specifically focus on providing technical tools to augment social engineering. So, for instance, phishing scams, like getting you to go on a website and enter you login information, there are basically social engineering tools to take a website, scrape it, clone it and produce it in a working replica that can phish passwords and stuff, as well as taking company’s headers and papers and cloning them and email to make it look legit as well. So there’s actually a surprising number of tools that can do this sort of stuff, and they are actually quite effective.