It has often been said that the easiest hack in IT security is the Social hack. Why? People are creatures of habit and, with insufficient training and a bit of prodding, are far easier to “con” than a firewall or IDS.
Webster’s defines Social Engineering as “an act of psychological manipulation of a human” and “any act that influences a person to take an action that may or may not be in their best interests.”
There are six basic principles of Social Engineering that rely heavily on influencing a user to go against their better judgement:
- Reciprocity – People tend to return a favor, thus the pervasiveness of free samples in marketing. “Hey, they gave me a freebie so I should go buy their product out of good faith.”
- Commitment and consistency – If people commit, orally or in writing, to an idea or goal, they are more likely to honor that commitment because of establishing that idea or goal as being congruent with their self-image. Even if the original incentive or motivation is removed after they have already agreed, they will continue to honor the agreement. Another example is marketers make you close popups by saying “I’ll sign up later” or “No thanks, I prefer not making money”.
- Social proof – People will do things that they see other people are doing. For example, if you notice someone staring in a window, you are more likely to come up and “see what they were looking at”.
- Authority – People will tend to obey authority figures, even if they are asked to perform objectionable acts. “If you don’t send me $300 in Target gift cards, the IRS will take your home for back taxes.”
- Liking – People are easily persuaded by other people that they like. Did you ever buy something from someone you disliked? Why are commercials and TV shows filled with attractive people?
- Scarcity – Perceived scarcity will generate demand. For example, saying offers are available for a “limited time only” encourages sales.
There are a myriad of examples of social engineering, from phishing to virus hoaxes to knowing that people tend to use the same passwords for multiple sites. All depend on one basic and easily overcome flaw… training.
If we keep our users trained in the security protocols pursuant to their position, they are less likely to become victims of the social hack. Exposure to techniques and related attempts can mitigate the possibility that a user falls victim.