RedKnight Schedule Appointment
Executive Decision-Making Creating Heroes Culture Social Engineering
SECURITY

Social Engineering

RT
Jason "Red" Thomas
Founder & CEO, RedKnight

The Art of Deception. A Master's in Manipulation. Certified Con Artist. The terms for social engineering are numerous, catchy, and almost exclusively negative. But like all such mighty powers, social engineering can be used for good or ill — the engineer is either a paragon of righteousness or a dastardly evil-doer. Protecting your team against it matters from a security standpoint; teaching your people its positive side matters just as much, giving them important tools for success.

Education Means Protection

George S. Patton once said that "untutored courage is useless in the face of educated bullets." Social engineering attacks work much the same way. People are generally well-intentioned and want to be helpful — and they're often easily suckered by greed. Both traits are favorite exploits of the scammer, and the only real defense is education.

Most companies deliver that education through dry webinars or drier slide decks. The flaw is the assumption that education is just a matter of pouring facts into the student. The employee slugs through the material, passes the test on short-term memory, and dumps the now-useless knowledge on the way out. Less frequent but more impactful discussions are far more effective. The social interaction makes the material less boring and engages deeper cognitive functions, moving the information into long-term memory. In discussing what phishing and baiting are and how they're carried out, the employee builds real understanding — and reports suspicious activity that might otherwise be ignored.

Charm School

The added benefit of discussion is that time can be devoted to the virtues of social engineering. It isn't only used for nefarious purposes — we can use the same concepts to promote a common good, or to create community in the workplace. I call it social engineering; my grandmother just called it "being charming." One of the most basic uses is a simple phone call. We've all been on calls where the person on the other end couldn't care less, and their attitude only made us more irritated. Conversely, a friendly and helpful agent leaves you satisfied even when you didn't get the answer you wanted.

Something as simple as smiling when you answer the phone creates a tone that carries across the line. A conscious effort to be friendly is received and reciprocated, making the conversation more manageable and leaving the customer more satisfied — improving the image of both the individual and the company with minimal effort. And when you're the one asking for something, the vibe you present can make all the difference. Being friendly induces the other party to be more open and talkative, often surfacing critical information you'd otherwise have missed, and makes them more willing to go the extra step to help you out.

The Power of Names

As practitioners progress, one of the more advanced lessons is the power of labels. We see it constantly in politics. It works because of autoassociative memory — people subconsciously remember related bits of data. Read "a day that will live in…" and you likely thought "infamy," or of Roosevelt. By repeating an opponent's name alongside a single term, politicians build an association between the two.

Those choosing the ethical approach can apply the same technique to better ends. Refer to your team as the "Texas Support Team" — accurate if they're in Texas — and the label subtly limits their scope to regional work. Call them the "Global Support Team" and it works to expand the scope of their responsibilities. This runs in two directions: as founding members cycle out, newer members have their scope defined by what they hear the team called; and outsiders who only observe the team know it mainly by its name. The name won't be the single determining factor in a team's growth, but it will have impact. Names are important and should be chosen with care and deliberation.

Leadership

Sun Tzu wrote of treating your soldiers like beloved children so they will follow you into the deepest valleys, and made many points about accounting for the psychology of troops. In the Army we had a field manual on leadership; one of the highest forms was Inspirational Leadership, where the leader inspires the led to accomplish the task. Inspiration equals manipulation — but leadership isn't about tricking people. It's about understanding what makes them work, why they do what they do, and using that knowledge to guide them to where they'll be most successful, without coercion or resentment.

Inspiring speeches that unify a group happen in the movies. In real life it takes dedicated work by a good leader to instill a sense of community and direction. Unhappy employees spread dissatisfaction like an airborne contagion; something as simple as bringing in breakfast can prevent it — though it shouldn't be ritual, because a pattern becomes an expectation. Doing it aperiodically reinforces the leader's genuine concern for their people's welfare. It's not as cold as it sounds. It's less about manipulation than about defining a culture of excellence, promoting it, and acting decisively against those who can't maintain the standard. Make excellence the standard, hire excellent people, and then keep problems out of their path as they rocket toward success.

We Came, We Saw…

So I hope you have a new appreciation for the science and art of social engineering. While true virtuosos seem to have a natural feel for it, everyone can learn the basic tenets and apply them well. Such a useful tool shouldn't be shelved in the mistaken belief that it's the sole domain of scammers. It's just a tool, no more defined by its use than a hammer. Take that old book by Kevin Mitnick down off the shelf, give it a read, and maybe you'll find the idea you needed to spark some new life in your own team.

— Jason "Red" Thomas
Our Expertise

Network Security & Analysis

Assessments & Compliance

Cyber Range & Simulation

IT & Software Solutions