The Anatomy of Social Engineering 5: The Reality and Defenses

This entry encompasses the summary of how effectively social engineering exploits the quirks, or flaws, of the human brain, and provides some defense advice.

In reality...

In reality…

So, in reality these are just tricks that statistically increase the odds of compliance (see right-hand image). And they’re obviously not going to work every time. Who’s played DayZ? One, two, people know what I’m talking about. Anyone that has played DayZ seriously knows that it’s perhaps one of the greatest psychology experiments, or “should-be” psychology experiments in the world, because basically you start off, you’ve got nothing, and there are zombies everywhere, and they are insane, and it’s a fight for your life.

And so when you meet someone else that’s also in that fight for their life, the psychology of how you cooperate is influenced by who gets the gun first – it’s ridiculous. And so, people will often yell: “Hey, I’m friendly, I have supplies,” and unwitting survivors will come in and sneak into the building, waiting for the zombies, and then all you hear is a gunshot. I can’t count the number of times that’s happened, but it’s such a funny game.

This stuff won’t always work, because the magical word isn’t going to work 100% of the time. You can’t just say: “I need to fix stuff, so let me in the server room because I need to fix stuff.” I mean, it may actually work. If you ever do that in your life and it works, I’ll buy you a beer. That would be so awesome. It’s also definitely not going to work if you say: “Remember how you gave me a raise last week? Well, it’s about that time again” – to try and exploit the consistency flaw of the human brain. It’s definitely not going to work.

Social engineering does help

Social engineering does help

In reality, however, social engineering is usually the easiest way to get into a system to gain access to a network (see left-hand image). If you see the vast majority of breach reports and penetration reports, you’ll see that there are some aspects of spear phishing or social engineering that are always exploited somewhere in that attack chain, and it actually worked quite well and exposed way more information or access than it should have. And this is why post-exploitation spear phishing works so well: “Hey, I’m the CEO, could you give me my username and password to the system – I completely forgot, I’ve been drinking too much over in Vegas” or something.

Social engineering is usually the easiest way to get into a system.

Tips for defense

Tips for defense

How can you defend yourself and the company that you work for against this stuff? It’s really hard (see right-hand image). The best you can do is raise awareness of these principles, of these evolutionary triggers that can be exploited. And the best way you can protect yourself is practice by resisting advertisements – so you see some delicious food on TV and you find yourself in the drive-through line – steer out of it, practice resisting or something like that. And also practice by using these flaws on your friends.

Resources used for the study: works by Robert Cialdini and Philip Kegelmeyer

Resources used for the study: works by Robert Cialdini and Philip Kegelmeyer

The topics talked about today were from the book “The Psychology of Persuasion”, and a lot of my presentation was influenced by a brilliant scientist Philip Kegelmeyer (see left-hand image), and he gave a presentation two times over this Summer, and he gives this presentation several times a year, it’s a wonderful presentation, and you can view the video for it at this link: http://www.social-engineer.org/.

And so, there are actually technical toolkits to augment your social engineering tactics. Social-enginner.org is related to the Metasploit offensive security project, and they specifically focus on providing technical tools to augment social engineering. So, for instance, phishing scams, like getting you to go on a website and enter you login information, there are basically social engineering tools to take a website, scrape it, clone it and produce it in a working replica that can phish passwords and stuff, as well as taking company’s headers and papers and cloning them and email to make it look legit as well. So there’s actually a surprising number of tools that can do this sort of stuff, and they are actually quite effective.

Read previous: The Anatomy of Social Engineering 4: Social Proof, Liking, Authority and Scarcity Flaws

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: