What is it that allows someone to be manipulated into giving you something?
At the brain tank conference the other weekend I watched a presentation called “Evolutionary Bias in Social Engineering: An Anthropologist’s Perspective”. Unfortunately this wasn’t what I was expecting. Randy, the presenter, spent a large amount of time explaining that ultimately humans all strive for one thing, sex. Interesting enough but after 20 minutes I got the point and didn’t hear anything about social engineering anyone into having sex yet. Near the end he started to get into more interesting content. He put 5 words on the table about persuasion, which is basically why social engineering works. Unfortunately it was just a perspective talk and didn’t really go into social engineering detail. In any event those 5 words were very similar to some I read in a book previously.
The Book
In management you tend to read many books. One I read several years ago was called “Influence: The Psychology of Persuasion”. A great read on why people say yes and how to defend yourself against a persuasive person.
Those 5 words in Randy’s presentation almost mapped directly to the fundamental principals in this book.
From the book!
- Consistency
- Reciprocation
- Social Proof
- Authority
- Liking
- Scarcity
Unfortunately he didn’t give social engineering examples, which would have been great for each of the 5 topics. I mean that would really be a good presentation.
We all know “Liking” works great. If you just make friends with someone during smoke breaks or say hi to the security guard that person will always let you do or get more than you should.
Reciprocation also works great for phone calls as a phased social engineering tactic. Call up someone acting as a vendor or part of IT and offer to fix their computer. If they have a problem, try and figure it out and fix it. Call back a few days later they will help you and provide information.
In any case I would love to hear if anyone has done any further analysis related to influence and social engineering as explained above.
InfoSecAlways.com 