Over the past few years, we have completed a number of social engineering tests as part of advanced penetration testing at various organizations. Coincidentally, I recently read an excellent book called “Influence – the Psychology of Persuasion” by Dr. Robert Cialdini.and realized that it has some excellent lessons for anyone wanting to guard themselves from social engineering attacks.
Dr. Cialdini’s book is an excellent coverage of what he calls “compliance professionals” – people engaged in hard-core door-to-door selling such as second-hand car salesman, multi-level marketing (read Amway) professionals, etc. He talks about the following 6 techniques adopted by these professionals to convince people to buy things they were never going to buy in the first place. The same techniques can also afford the social engineer easy access to information, and it is worthwhile for information security professionals to examine what the other breed of “compliance professionals” is up to!
1. Reciprocation: We are hard-wired to respond to a favor, often not in direct proportion to the size of the favor done to us. One such example given by Cialdini is the aid given in 1985 by Ethiopian Red Cross to earthquake victims in Mexico as repayment of aid given by Mexico when Ethiopia was invaded by Italy, way back in 1935! For the original news article click here.
We used this technique to deadly effect by inducing a systems administrator to disclose highly confidential information about their set up after providing him with lots of study material for the upcoming CISA exam.
2. Commitment and Consistency: Once we have made a choice or taken a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment.
During one such test, we posed as auditors and started interviewing the system administrators. After a couple of days of helping us out with information, they led us to the other departments in the organization and further facilitated our “audit”. It was only on the 5th day that someone raised an alarm, but during the first few days once the personnel had hard-wired themselves into co-operating with us, they just went all the way, without even checking our credentials!
3. Social Proof: One means we use to determine what is correct is to find out what other people think is correct. The principle applies especially to the way we decide what constitutes correct behavior.
This is most simply exploited during a social engineering test by leveraging the power of social networking sites such as LinkedIn and Facebook. An attractive enough profile with other members of your organization linked to it is highly likely to make you add it to your network as well, with no clue as to the profile’s veracity.
4. Liking: Few people would be surprised to learn that, as a rule, we most prefer to say yes to the requests of someone we know and like.
Our most successful attempts have involved sending our more likeable people across asking for help or requesting for information to complete a “college project”. These individuals are usually well-groomed, smart, personable, and possess decent levels of charm or naivete to get the other person to comply.
5. Authority: The famous Milgram experiments show the power of authority in comparison to all the other factors listed here. The real culprit is our inability to resist the psychological power wielded by the person in authority.
We have seen this work in numerous ways by faking authority letters purporting to come from some government agency or from the managing director of the company. A lot of the times the recipient will simply comply with the request. The same effect is seen when depending on which car one is in, and how one is dressed, the security guard at the gate will adjust his level of obsequiousness.
6. Scarcity: Collectors of everything from baseball cards to antiques are keenly aware of the influence of the scarcity principle in determining the worth of an item.
One of the most common tactics is to build time pressure. The scarcity of time often makes people comply with requests in violation of their policies and their own common sense. We have used this on numerous occasions be it with a security guard or with a system or network administrator.
For other interesting social engineering experiments, search for “the real hustle” on YouTube for the BBC program that shows how as humans we easily fall prey to the smart hustler who sweet-talks his or her way into social engineering us.