Real Life Lessons: Social Engineering
[flickr]photo:36572011(small)[/flickr]The fourth lesson to learn from my incident is that of social engineering. Simply put, social engineering is using predictable social response to create a situation that benefits you. From a security perspective, this technique is often described as a tool used by the bad guys, but it can also be used by the good ones. In my case, once I became aware of the situation, I did the following things:
- I finished getting dressed. This puts me at a higher level than a person who is waking up disheveled. Though it was likely not consciously noticed, the distinction might have played in my favor. This helped to create the predictable response of a subordinate to a superior.
- I positioned myself between the light and his head. This way, when he awoke, he would be at a visual disadvantage. I would be able to see him clearly and, to him, I would appear in silhouette. The response I was trying to get here was to maximize his confusion while also maximizing the amount of information I could get when he awoke.
- I held a weapon on him, and I chose one which I could easily control and would likely create a feeling of fear but not create a feeling of terror. This way, I could anticipate a logical response (no terror), but a manipulated response (because he was scared).
- I awoke him with very specific instructions and questions. The socially acceptable response to these questions when one is in an inferior position is to simply answer the questions.
By arranging the environment and taking control of the situation, I was able to very quickly get the information that I needed to determine whether or not he was a threat (he was not) and make a decision (to let him go and not involve the police). Since I was in control, I was also able to get him out of the house as rapidly as possible, while minimizing the harm to either of us or anything that I had in the house.
From a business perspective, you face social engineering all the time. Most business relationships (whether between boss/employee or company/vendor) are hierarchical. Where hierarchies exist, there are ample opportunities for social engineering. This can be something as simple as a coworker asking you for something and stating that your boss had asked them. It could also be as complex as an attacker calling in and pretending to be an irate customer — leading you to believe that if you do not do as they ask, your company will lose the account and you will be at fault.
There are only a few ways to combat social engineering. The first is through constant and thorough training. This is time consuming and costly. It is, however, the best way to secure your business. That said, if you go this route, you must take care that the training plan is based on reasons and reasoning. All too often training programmes focus on the threats instead of on analysis and consideration. This makes your business utterly secure against yesterday’s attacks . . . and completely open to tomorrow’s.
The second way to protect against social engineering attacks is to eliminate the time pressure. You can do this by empowering your employees to solve problems in non-standard ways. If the “irate client/boss” refuses to accept rational non-standard solutions, there might be an attack going on. In such a situation, escalating the issue to someone with more experience just makes sense. You can also eliminate the time pressure by investing in highly redundant and flexible systems. This works well if you are devising a new solution… less well if you are supporting legacy technology. If you are handling legacy systems, the risks of inflexibility should be considered the next time you build a business case for overhaul and replacement.
The third way to protect against social engineering is to implement an identification system. If your front-line people can know, with certainty, that the person with whom they are talking is really who they claim to be, most concerns can be eliminated. There is, however, an element of client training to such a system. Any challenge-response system is accepted more easily when all parties are expecting it.
So, my questions to you are:
- What would you give an angry client or boss in order to make them happy?
- What if it wasn’t really them?