Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Nov 15, 2017

NBlog November 15 - ethical social engineering for awareness

Security awareness involves persuading, influencing and you could say manipulating people to behave differently ... and so does social engineering. So could social engineering techniques be used for security awareness purposes?

The answer is a resounding yes - in fact we already do, in all sorts of ways.  Take the security policies and procedures, for instance: they inform and direct people to do our bidding. We even include process controls and compliance checks to make sure things go to plan. This is manipulative.

Obviously the motivations, objectives and outcomes differ, but social engineering methods can be used ethically, beneficially and productively to achieve awareness. Exploring that idea even reveals some novel approaches that might just work, and some that are probably best avoided or reversed.

Social engineering method,
technique or approach
Security awareness & training equivalents
Pretexting: fabricating plausible situations
Case studies, rĂ´le-plays, scenarios, simulations, tests and exercises
Plausible cover stories, escape routes, scorched earth, covering tracks
‘What-if’ scenarios, worst-case risk analysis, continuity and contingency planning
Persuading, manipulating, using subconscious, visual, auditory and/or behavioral cues such as body language, verbal phrasing     and       emphatic     timing
Apply the methods and techniques used in education, marketing and advertising (e.g. branding disparate awareness materials consistently to link them together)
Deceiving/telling lies, making false promises, masquerading/mimicry, fitting-in, going undercover, building the picture, putting on a persona or mask (figuratively speaking), acting and generally getting-in-character
Emphasize the personal and organizational benefits of being secure; “self-phishing” and various other vulnerability/penetration tests
Distracting, exploiting confusion/doubt to slip through, doing the unexpected
Develop subtle underlying themes and approaches (such as ethics, a form of self-control) while ostensibly promoting more obvious aspects (such as compliance)
Appealing to greed/vanity, charming, flirting
Emphasize the positives, identify and reward secure behaviors
Playing dumb, appealing for assistance
Audience-led awareness activities e.g. a workshop on “What can we do to improve our record on malware incidents?”
Exploiting relationships, trust and reliance
Collaborating with other corporate functions such as risk, HR, compliance, health & safety etc. on joint or complementary awareness activities
Empathizing, befriending, establishing trust, investing time, effort and resources
Being realistic about timescales, and setting suitable expectations.  Anticipating and planning for long-term ‘cultural’ changes taking months and years rather than days and weeks to occur
Exploiting reputation and referrals from third parties (transitive trust)
Gather and exploit metrics/evidence of the success of awareness activities
Claiming or presenting false or exaggerated credentials, using weak credentials to obtain stronger ones
Do the opposite i.e. study for qualifications in information security and/or adult education
Assertiveness, aggression, 'front', cojones, brazen confidence, putting the victim on the back foot or catching them off-guard
Be more creative, adopting or developing unusual, surprising, challenging and perhaps counter-cultural awareness activities
Creating and using urgency and compulsion to justify bypassing controls
(Over?) Emphasizing ‘clear and present dangers’ (within reason!)
Bypassing, sidestepping or undermining controls
Addressing individuals and teams directly, regardless of hierarchies and norms
Exploiting management/support overrides
Using managers, auditors and other authority figures as communications vehicles
Puppetry, persuading others to do our bidding (possibly several layers deep)
‘Train-the-trainer’!  Develop and support a cadre of security friends/ambassadors.  Gain their trust and favor.  Involve them proactively.
Fast/full-frontal/noisy or slow/gradual attrition/blind-side/silent attacks, or both!
Focus on a series of discrete topics, issues or events, while also consistently promoting longer-term themes
Mutuality, paying a debt forward (e.g. if I give you a gift, you feel indebted to me)
Give rewards and gifts, “be nice” to your audience, respect their other business/personal interests and priorities
Targeting the vulnerable, profiling, building a coherent picture of individual targets, researching possible vulnerabilities and developing novel exploits
Working on specific topics for specific audiences e.g. following up after security incidents, systematically identifying and addressing root causes
Shotgunning (i.e. blasting out attacks indiscriminately to hook the few who are vulnerable) and snipering (e.g. spear phishing)
Combining general-purpose awareness materials plus targeted/custom materials aimed at more specific audiences
Pre-planned & engineered, or opportunistic attacks (carpe diem), or both!
Planned awareness program but with ‘interrupts’ (see below)
Dynamic, reactive/responsive attacks, turning the victim on himself, not entirely pre-scripted/pre-determined, being alert and quick-witted enough to grasp opportunities that arise unexpectedly
Spotting and incorporating recent/current security incidents, news etc., including business situations and changes, into the awareness program
Con-man, con-artist, fraudster, sleight-of-hand, underhand, unethical, selfish, goal-oriented, covertly focused
Do the opposite i.e. be very open and honest, sharing the ultimate goals of the awareness program
Using/replaying insider information and terminology obtained previously
Referring back to issues covered before, and ‘leaving the door open’ to come back to present issues later on; re-phrasing old stuff and incorporating new information
Systematically gathering, combining, analyzing and exploiting information
Systematically gather, analyze and use metrics (measures and statistics) on awareness levels and various other aspects of information security
Exploiting technical, procedural and humanistic vulnerabilities
Work on policies, procedures, practices and attitudes, including those within IT
Multi-mode, blended or contingent attacks e.g. combining malware with social engineering, plus hacking if that is appropriate to get the flag
True multimedia e.g. written/self-study materials, facilitated presentations/seminars, case studies, exercises, team/town-hall/brown-bag meetings, videos, blogs, system messages, corridor conversations, posters, quizzes, games, classes, security clubs, Learning Management Systems, outreach programs …