My last post I was trying to see if someone had examples mapped to the book “The Psychology of Persuasion”. Appears I jumped in too quick with my first article because after a few hours of research on the topic I came across the social engineering framework.
This site does not really have a lot of examples but there are several sections like the “Influence Others” that directly map to the book framework. There is still a good deal of expansion that can be done on this subject so I’m glad the community has a solid foundation they are using for a framework.
What is it that allows someone to be manipulated into giving you something?
At the brain tank conference the other weekend I watched a presentation called “Evolutionary Bias in Social Engineering: An Anthropologist’s Perspective”. Unfortunately this wasn’t what I was expecting. Randy, the presenter, spent a large amount of time explaining that ultimately humans all strive for one thing, sex. Interesting enough but after 20 minutes I got the point and didn’t hear anything about social engineering anyone into having sex yet. Near the end he started to get into more interesting content. He put 5 words on the table about persuasion, which is basically why social engineering works. Unfortunately it was just a perspective talk and didn’t really go into social engineering detail. In any event those 5 words were very similar to some I read in a book previously.
In management you tend to read many books. One I read several years ago was called “Influence: The Psychology of Persuasion”. A great read on why people say yes and how to defend yourself against a persuasive person.
Those 5 words in Randy’s presentation almost mapped directly to the fundamental principals in this book.
From the book!
- Social Proof
Unfortunately he didn’t give social engineering examples, which would have been great for each of the 5 topics. I mean that would really be a good presentation.
We all know “Liking” works great. If you just make friends with someone during smoke breaks or say hi to the security guard that person will always let you do or get more than you should.
Reciprocation also works great for phone calls as a phased social engineering tactic. Call up someone acting as a vendor or part of IT and offer to fix their computer. If they have a problem, try and figure it out and fix it. Call back a few days later they will help you and provide information.
In any case I would love to hear if anyone has done any further analysis related to influence and social engineering as explained above.
The PhishMe blog on building employee awareness to social engineering tactics was inspiring so I finally decided to put up a paper on this site regarding similar subject matter.
Extreme Social Engineering
Combating the Insider Security Threat – A Security Awareness Exercise
This paper has been developed to address the human factor of security and the apparent weaknesses within organizations due to employees’ lack of security awareness. The purpose is to provide organizations a simple solution for increasing security awareness and combating other malicious insider security threats through a series of social engineering exercises. The document is available by clicking the name above or by accessing the “Papers” section of the site.
PhishMe Blog Entry: