Ethical social engineering for awareness
Security awareness involves persuading, influencing and you could say manipulating people to behave differently ... and so does social engineering. So could social engineering techniques be used for security awareness purposes?
The answer is a resounding yes - in fact we already do, in all sorts of ways. Take the security policies and procedures, for instance: they inform and direct people to do our bidding. We even include process controls and compliance checks to make sure things go to plan. This is manipulative.
Obviously the motivations, objectives and outcomes differ, but social engineering methods can be used ethically, beneficially and productively to achieve awareness. Exploring that idea even reveals some novel approaches that might just work, and some that are probably best avoided or reversed.
Social engineering method, technique or approach | Security awareness & training equivalents |
Pretexting: fabricating plausible situations | Case studies, rĂ´le-plays, scenarios, simulations, tests and exercises |
Plausible cover stories, escape routes, scorched earth, covering tracks | ‘What-if’ scenarios, worst-case risk analysis, continuity and contingency planning |
Persuading, manipulating, using subconscious, visual, auditory and/or behavioral cues such as body language, verbal phrasing and emphatic timing | Apply the methods and techniques used in education, marketing and advertising (e.g. branding disparate awareness materials consistently to link them together) |
Deceiving/telling lies, making false promises, masquerading/mimicry, fitting-in, going undercover, building the picture, putting on a persona or mask (figuratively speaking), acting and generally getting-in-character | Emphasize the personal and organizational benefits of being secure; “self-phishing” and various other vulnerability/penetration tests |
Distracting, exploiting confusion/doubt to slip through, doing the unexpected | Develop subtle underlying themes and approaches (such as ethics, a form of self-control) while ostensibly promoting more obvious aspects (such as compliance) |
Appealing to greed/vanity, charming, flirting | Emphasize the positives, identify and reward secure behaviors |
Playing dumb, appealing for assistance | Audience-led awareness activities e.g. a workshop on “What can we do to improve our record on malware incidents?” |
Exploiting relationships, trust and reliance | Collaborating with other corporate functions such as risk, HR, compliance, health & safety etc. on joint or complementary awareness activities |
Empathizing, befriending, establishing trust, investing time, effort and resources | Being realistic about timescales, and setting suitable expectations. Anticipating and planning for long-term ‘cultural’ changes taking months and years rather than days and weeks to occur |
Exploiting reputation and referrals from third parties (transitive trust) | Gather and exploit metrics/evidence of the success of awareness activities |
Claiming or presenting false or exaggerated credentials, using weak credentials to obtain stronger ones | Do the opposite i.e. study for qualifications in information security and/or adult education |
Assertiveness, aggression, 'front', cojones, brazen confidence, putting the victim on the back foot or catching them off-guard | Be more creative, adopting or developing unusual, surprising, challenging and perhaps counter-cultural awareness activities |
Creating and using urgency and compulsion to justify bypassing controls | (Over?) Emphasizing ‘clear and present dangers’ (within reason!) |
Bypassing, sidestepping or undermining controls | Addressing individuals and teams directly, regardless of hierarchies and norms |
Exploiting management/support overrides | Using managers, auditors and other authority figures as communications vehicles |
Puppetry, persuading others to do our bidding (possibly several layers deep) | ‘Train-the-trainer’! Develop and support a cadre of security friends/ambassadors. Gain their trust and favor. Involve them proactively. |
Fast/full-frontal/noisy or slow/gradual attrition/blind-side/silent attacks, or both! | Focus on a series of discrete topics, issues or events, while also consistently promoting longer-term themes |
Mutuality, paying a debt forward (e.g. if I give you a gift, you feel indebted to me) | Give rewards and gifts, “be nice” to your audience, respect their other business/personal interests and priorities |
Targeting the vulnerable, profiling, building a coherent picture of individual targets, researching possible vulnerabilities and developing novel exploits | Working on specific topics for specific audiences e.g. following up after security incidents, systematically identifying and addressing root causes |
Shotgunning (i.e. blasting out attacks indiscriminately to hook the few who are vulnerable) and snipering (e.g. spear phishing) | Combining general-purpose awareness materials plus targeted/custom materials aimed at more specific audiences |
Pre-planned & engineered, or opportunistic attacks (carpe diem), or both! | Planned awareness program but with ‘interrupts’ (see below) |
Dynamic, reactive/responsive attacks, turning the victim on himself, not entirely pre-scripted/pre-determined, being alert and quick-witted enough to grasp opportunities that arise unexpectedly | Spotting and incorporating recent/current security incidents, news etc., including business situations and changes, into the awareness program |
Con-man, con-artist, fraudster, sleight-of-hand, underhand, unethical, selfish, goal-oriented, covertly focused | Do the opposite i.e. be very open and honest, sharing the ultimate goals of the awareness program |
Using/replaying insider information and terminology obtained previously | Referring back to issues covered before, and ‘leaving the door open’ to come back to present issues later on; re-phrasing old stuff and incorporating new information |
Systematically gathering, combining, analyzing and exploiting information | Systematically gather, analyze and use metrics (measures and statistics) on awareness levels and various other aspects of information security |
Exploiting technical, procedural and humanistic vulnerabilities | Work on policies, procedures, practices and attitudes, including those within IT |
Multi-mode, blended or contingent attacks e.g. combining malware with social engineering, plus hacking if that is appropriate to get the flag | True multimedia e.g. written/self-study materials, facilitated presentations/seminars, case studies, exercises, team/town-hall/brown-bag meetings, videos, blogs, system messages, corridor conversations, posters, quizzes, games, classes, security clubs, Learning Management Systems, outreach programs … |