Security awareness involves persuading, influencing and you could say manipulating people to behave differently ... and so does social engineering. So could social engineering techniques be used for security awareness purposes?
The answer is a resounding yes - in fact we already do, in all sorts of ways. Take the security policies and procedures, for instance: they inform and direct people to do our bidding. We even include process controls and compliance checks to make sure things go to plan. This is manipulative.
Obviously the motivations, objectives and outcomes differ, but social engineering methods can be used ethically, beneficially and productively to achieve awareness. Exploring that idea even reveals some novel approaches that might just work, and some that are probably best avoided or reversed.
Social engineering method,
technique or approach |
Security awareness & training
equivalents
|
Pretexting: fabricating plausible situations
|
Case studies,
rĂ´le-plays, scenarios, simulations, tests and exercises
|
Plausible cover
stories, escape routes, scorched earth, covering tracks
|
‘What-if’
scenarios, worst-case risk analysis, continuity and contingency planning
|
Persuading,
manipulating, using subconscious, visual, auditory and/or
behavioral cues such as body language, verbal phrasing and emphatic timing
|
Apply the methods
and techniques used in education, marketing and advertising (e.g. branding disparate awareness
materials consistently to link them together)
|
Deceiving/telling lies,
making false promises, masquerading/mimicry, fitting-in, going undercover,
building the picture, putting on a persona or mask (figuratively speaking),
acting and generally getting-in-character
|
Emphasize the
personal and organizational benefits of being secure; “self-phishing” and
various other vulnerability/penetration tests
|
Distracting,
exploiting confusion/doubt to slip through, doing the unexpected
|
Develop subtle
underlying themes and approaches (such as ethics, a form of self-control)
while ostensibly promoting more obvious aspects (such as compliance)
|
Appealing to
greed/vanity, charming, flirting
|
Emphasize the
positives, identify and reward secure behaviors
|
Playing dumb, appealing
for assistance
|
Audience-led
awareness activities e.g. a
workshop on “What can we do to
improve our record on malware incidents?”
|
Exploiting
relationships, trust and reliance
|
Collaborating with
other corporate functions such as risk, HR, compliance, health & safety etc. on joint or complementary
awareness activities
|
Empathizing, befriending,
establishing trust, investing time, effort and resources
|
Being realistic
about timescales, and setting suitable expectations. Anticipating and planning for long-term
‘cultural’ changes taking months and years rather than days and weeks to occur
|
Exploiting
reputation and referrals from third parties (transitive trust)
|
Gather and exploit
metrics/evidence of the success of awareness activities
|
Claiming or
presenting false or exaggerated credentials, using weak credentials to obtain
stronger ones
|
Do the opposite i.e. study for
qualifications in information security and/or adult education
|
Assertiveness,
aggression, 'front', cojones,
brazen confidence, putting the victim on the back foot or catching them
off-guard
|
Be more creative,
adopting or developing unusual, surprising, challenging and perhaps
counter-cultural awareness activities
|
Creating and using
urgency and compulsion to justify bypassing controls
|
(Over?) Emphasizing
‘clear and present dangers’ (within reason!)
|
Bypassing,
sidestepping or undermining controls
|
Addressing
individuals and teams directly, regardless of hierarchies and norms
|
Exploiting
management/support overrides
|
Using managers,
auditors and other authority figures as communications vehicles
|
Puppetry,
persuading others to do our bidding (possibly several layers deep)
|
‘Train-the-trainer’! Develop and support a cadre of security
friends/ambassadors. Gain their trust
and favor. Involve them proactively.
|
Fast/full-frontal/noisy
or slow/gradual attrition/blind-side/silent attacks, or both!
|
Focus on a series
of discrete topics, issues or events, while also consistently promoting
longer-term themes
|
Mutuality, paying a
debt forward (e.g. if I give
you a gift, you feel indebted to me)
|
Give rewards and
gifts, “be nice” to your audience, respect their other business/personal
interests and priorities
|
Targeting the
vulnerable, profiling, building a coherent picture of individual targets,
researching possible vulnerabilities and developing novel exploits
|
Working on specific
topics for specific audiences e.g. following
up after security incidents, systematically identifying and addressing root
causes
|
Shotgunning (i.e. blasting out attacks
indiscriminately to hook the few who are vulnerable) and snipering (e.g. spear phishing)
|
Combining general-purpose
awareness materials plus targeted/custom materials aimed at more specific
audiences
|
Pre-planned &
engineered, or opportunistic attacks (carpe diem), or both!
|
Planned awareness
program but with ‘interrupts’ (see below)
|
Dynamic,
reactive/responsive attacks, turning the victim on himself, not entirely
pre-scripted/pre-determined, being alert and quick-witted enough to grasp
opportunities that arise unexpectedly
|
Spotting and
incorporating recent/current security incidents, news etc., including business situations and
changes, into the awareness program
|
Con-man,
con-artist, fraudster, sleight-of-hand, underhand, unethical, selfish,
goal-oriented, covertly focused
|
Do the opposite i.e. be very open and
honest, sharing the ultimate goals of the awareness program
|
Using/replaying
insider information and terminology obtained previously
|
Referring back to
issues covered before, and ‘leaving the door open’ to come back to present
issues later on; re-phrasing old stuff and incorporating new information
|
Systematically
gathering, combining, analyzing and exploiting information
|
Systematically
gather, analyze and use metrics (measures and statistics) on awareness levels
and various other aspects of information security
|
Exploiting
technical, procedural and humanistic vulnerabilities
|
Work on policies,
procedures, practices and attitudes, including those within IT
|
Multi-mode, blended or contingent attacks e.g. combining malware with social engineering, plus hacking if that is appropriate to get the flag
|
True multimedia e.g. written/self-study
materials, facilitated presentations/seminars, case studies, exercises,
team/town-hall/brown-bag meetings, videos, blogs, system messages, corridor
conversations, posters, quizzes, games, classes, security clubs, Learning
Management Systems, outreach programs …
|
No comments:
Post a Comment