The Art of Deception. Having a Masters in Manipulation. Certified Con & Networking Artist. The terms for Social Engineering are numerous, catchy, and almost exclusively negative. However, as is the case with all such mighty powers, Social Engineering can be used for either good or bad, and it’s the engineer himself who stands as either a paragon of righteousness or dastardly evil-doer. Protecting your team against social engineering is important from a security standpoint, as well as just part of how to be a good leader. However just as important is teaching your people the positive side of social engineering in order to build them up as individuals and give them important tools for success.

Education Means Protection   

George S. Patton once said that, “Untutored courage is useless in the face of educated bullets.” In a way, social engineering attacks can work exactly like that. People in general are well intentioned and want to be helpful. They’re also often easily suckered by greed. Both traits are favorite exploits of the scammer, and the only real defense is education.

Most companies accomplish this needed education through dry webinars or even drier Power Point presentations. The failure in that system is that it assumes that the needed education is just a matter of pouring facts into the student. In the end, the employee slugs their way through the boringly presented material, passes the basic test afterwards using data stored in their short term memory, and then proceeds to dump the now-useless knowledge as they go on their way.

Less frequent, but more impactful discussions are much more effective methods of protecting against attacks. At the very least, the social interaction makes the material less boring and encourages the employees to engage deeper cognitive functions, thus moving the data from short-term to longer-term memory. In the discussing of what things like phishing and baiting are, and how these attacks are carried out, the employee builds an actual understanding of the subject, not just temporarily memorized facts. By discussing potential vulnerabilities and sensitive information that needs protection, it creates an increased awareness on the part of the employee, and thus suspicious activity get reported where they otherwise might have been ignored.

Charm School   

The additional benefit of discussions, rather than computer-based training is that time can be devoted to the virtues of social engineering. After all, social engineering isn’t just used for nefarious purposes. We can also use the same concepts for promoting a common good, or for creating a sense of community in the workspace. I call it social engineering, but my grandmother just called it “being charming.”

One of the most basic uses of this concept would be a simple phone call. We’ve all been on those calls where the person on the other end of the line really couldn’t care much less and wasn’t very interested in being helpful. Remember how their attitude and the vibe you got from the other side of the conversation just served to make you more irritated? Conversely, think about those conversations where the agent was friendly and helpful and full of concern. Even when you didn’t get the answer you were looking for, you didn’t walk away nearly as frustrated.

Something as simple as smiling when you answer the phone creates a tone in your voice that can be perceived on the other end of the conversation. Making a conscious effort to be friendly is received and reciprocated, making the conversation more manageable. Dealing with a customer leaves them feeling more satisfied with the service they received. That improves the image of the individual and that of the company with a minimum amount of effort. Maybe even more important, making a call where you’re asking for something, and paying attention to the vibe you’re presenting can make all the difference with getting the answer you needed. Being friendly will induce the other party to be more open and talkative, often giving you critical information you may have missed out on otherwise. It also serves to make them more willing to take the extra step to save you time or help you out.

 The Power of Names

As disciples of social engineering progress in their studies, one of more advanced lessons in the science is the power behind labels. We see this very often in politics, especially the last few years as politicians refer to their opponents as being part of the “establishment.” The reason this works is because of something called autoassociative memory, which is a big word that basically means people will subconsciously remember bits of related data.

“A day that will live in…”

Did you think “infamy” or about Roosevelt when you read that? That’s why this technique works. By repeating an opponent’s name over and over in conjunction with a single term, politicians hope to build an associative memory between their opponent and that word. Once again they are demonstrating that they have given in to their fear and hatred and become one with the dark side of the Force.

Those of us choosing the more ethical approach can apply the same technique to far more ethical ends. For instance one could refer to their team as the Texas Support Team, which might be true because they are located in Texas. Otherwise, they might use the name Global Support Team. What might the difference be? Because autoassociative memory works, one term will work to limit the scope of the team to regional work, while the latter will work to expand the scope of the team’s responsibilities. This process works in two directions. Every team has turn-over. While founding members of the team may have established a clear concept of the team’s direction, as they cycle out newer members will have to have that scope redefined for them. They hear their team referred to as “Texas” enough times, and it starts to subconsciously draw lines around their responsibilities.

The second direction of change is in dealing with other people who may not have much interaction with the team, thus only know what they can observe. The most observable part of a team is in its name. Every email, website, and conversation serves to reinforce the limited scope of a team that was intended to have global responsibilities if the team wasn’t named appropriately. Thus it is that while the name of a team will not be the single determining factor in the direction of its growth, it will have impact. Effort will have to be made to work against a poorly named team, small though that effort may be depending on the circumstances. The same technique can be applied in numerous ways, perhaps the most obvious being marketing, but the applications are fairly numerous. The point is that names are important and should be chosen with care and deliberation. Choosing the right label can make all the difference in the world.

Leadership

Sun Tzu has a quote about treating your soldiers like beloved children so that they will follow you into the deepest valleys. He actually made a number of points in his treatise on war that revolved around the general’s need to account for the psychology of troops, both his and his opponent’s. In the Army we had a field manual on leadership, listing all the various forms it could take. One of the highest was that of Inspirational Leadership, where the leader inspired the led to accomplish the set task. You got it, inspiration equals manipulation. Being a leader isn’t about tricking people, though. It’s about understanding what makes them work, why they do the things they do, and using that knowledge to guide them to the path that will allow them to be most successful. Social engineering is an important tool in understanding how to guide those you’re responsible for into doing the things they should do, and most importantly, it’s about them doing it without being coerced and resentful about it.

Inspiring speeches that unify a group of people into working together only happens in the movies. In real life, it takes a lot of dedicated work by a good leader to instill a sense of community and direction in the team. A simple example would be happiness with their employment. Unhappy employees spread dissatisfaction like an airborne contagion. Something as simple as bringing pastries in for breakfast, or buying the occasional pizza for lunch might be all it takes to prevent dissatisfaction. It’s important not to do it ritualistically, though. If something is a pattern, it’s expected. Doing it a-periodically ensures that it doesn’t become an expected treat, and that it reinforces the leader’s desire to see to their people’s welfare. Leadership is also about ensuring your people continue to do the right thing whether anyone is there to watch them or not. Social Engineering is how this is best accomplished, but I promise that it’s not as cold as it sounds. It’s not as much about manipulation as it is about defining a culture of excellence, making a directed effort to promote that culture, and then taking quick and decisive actions against those who show an inability to maintain that standard. Make excellence the standard, hire excellent people, and then all that’s needed is to keep problems out of their path as they rocket their way to success.

We came, we saw…

So I hope you have a new appreciation for the science and art of social engineering. While true virtuosos just seem to have a feel and natural give for it, I believe everyone can learn the basic tenets and apply them successfully. Most importantly such a useful tool shouldn’t be shelved in the misguided belief that it’s the sole domain of Nigerian bank employees. It’s just a tool and nothing more, and it’s no more defined by its use than would be a hammer. So take that old book by Kevin Mitnick down off the shelf and give it a read and a little thought. Maybe you’ll find that little idea you needed for sparking some new life in your own team.

– Jason “Red” Thomas

Network Security & Analysis

Security Assessments & Compliance

Cyber Range Training & Simulation

IT & Software Solutions