2008 Woodie Awards
Social engineering: because there's no patch for your cognitive bias
By Brooks Haroldsen NIATEC Awareness Column
Issue date: 1/30/08 Section: News
What do phishing, pretexting, Trojans and road apples have in common? If you're not familiar with these terms, don't feel bad. A lot of people are still in the dark about what they are, despite their widespread proliferation. I would, therefore, encourage you to learn as much as you can about these items since they are all hacker techniques that target the weakest part of any computer network or system; the part that Windows or Apple will never release a patch or update for: You.
All of the above mentioned are common manifestations of what reformed hacker and security consultant, Kevin Mitnick, dubbed "social engineering." He also claims that it is the quickest, most effective, and preferred tool in his tool kit. Social engineering exploits our human cognitive biases; our basic social and psychological tendencies to want to be helpful and trusting of others.
The technique uses persuasion and deception in creative ways to convince people to perform tasks or divulge sensitive information against their better judgment. Social engineers are successful when their efforts to entreat a target's cognitive biases override the target's logical reasoning or common sense.
For example, a CD that is loaded with malware (malicious software), but has been labeled in a way that piques human curiosity to a sufficient degree and left in a public place, will often eventually find its way into someone's CD drive. There is no logical reason to trust the labeling or contents of the CD. In fact, it should seem suspicious, or at least odd, that someone would leave their "Hawt Bikini Girls" collection or "IBM 2007 Financial Data: SECRET" on the floor in a McDonald's rest room, for example.
So why do hundreds of these get picked up by people each year? The social engineer who labels and places them knows that people are inherently curious and that most of us tend to be trusting rather than suspicious.
So if the social engineers out there have our number, socially and psychologically speaking, how can we avoid being had? In my opinion, 99 percent of social engineering attempts can be thwarted by just taking a moment to think about what we are seeing/hearing from a social engineer. The package they present is always attractive and may even seem believable at a glance. I mean, when someone calls or e-mails you saying that you've won a huge sweepstakes, who wouldn't want to believe it? Just remember, there will always be that little hitch that should send up the red flags. Stop to think about it for a few moments. And by "think about it," I don't mean trying to find a rationale for how this could be real. I mean really dismantle what you are being told and think about what makes sense, and what doesn't. It is then that you will start to have little epiphanies like, "Wait a minute, I live in Idaho… I don't think I've ever entered a Canadian sweepstakes," or "It doesn't make sense that I have to pay taxes on my winnings before I receive them," or "Why on earth would the prince of Zimbabwe want to hide his royal fortune in my bank account?" or "Hold on, tech support usually takes days to respond to my trouble tickets, they never ask for my password, and why are they asking me to type all these strange commands into my computer?"
Social engineering has been around for a while. But as old as the practice of social engineering is, evolution won't be releasing a security patch any time soon. Instead, we will continue to rely on promoting security awareness and education in ways like this article and time worn adages such as "If it sounds too good to be true, it probably is," and "Not everything that glitters is gold," because just as it is true that there is no patch for our cognitive biases, it is equally true in the realm of security that no machine can replace the functionality of a discerning human mind.
All of the above mentioned are common manifestations of what reformed hacker and security consultant, Kevin Mitnick, dubbed "social engineering." He also claims that it is the quickest, most effective, and preferred tool in his tool kit. Social engineering exploits our human cognitive biases; our basic social and psychological tendencies to want to be helpful and trusting of others.
The technique uses persuasion and deception in creative ways to convince people to perform tasks or divulge sensitive information against their better judgment. Social engineers are successful when their efforts to entreat a target's cognitive biases override the target's logical reasoning or common sense.
For example, a CD that is loaded with malware (malicious software), but has been labeled in a way that piques human curiosity to a sufficient degree and left in a public place, will often eventually find its way into someone's CD drive. There is no logical reason to trust the labeling or contents of the CD. In fact, it should seem suspicious, or at least odd, that someone would leave their "Hawt Bikini Girls" collection or "IBM 2007 Financial Data: SECRET" on the floor in a McDonald's rest room, for example.
So why do hundreds of these get picked up by people each year? The social engineer who labels and places them knows that people are inherently curious and that most of us tend to be trusting rather than suspicious.
So if the social engineers out there have our number, socially and psychologically speaking, how can we avoid being had? In my opinion, 99 percent of social engineering attempts can be thwarted by just taking a moment to think about what we are seeing/hearing from a social engineer. The package they present is always attractive and may even seem believable at a glance. I mean, when someone calls or e-mails you saying that you've won a huge sweepstakes, who wouldn't want to believe it? Just remember, there will always be that little hitch that should send up the red flags. Stop to think about it for a few moments. And by "think about it," I don't mean trying to find a rationale for how this could be real. I mean really dismantle what you are being told and think about what makes sense, and what doesn't. It is then that you will start to have little epiphanies like, "Wait a minute, I live in Idaho… I don't think I've ever entered a Canadian sweepstakes," or "It doesn't make sense that I have to pay taxes on my winnings before I receive them," or "Why on earth would the prince of Zimbabwe want to hide his royal fortune in my bank account?" or "Hold on, tech support usually takes days to respond to my trouble tickets, they never ask for my password, and why are they asking me to type all these strange commands into my computer?"
Social engineering has been around for a while. But as old as the practice of social engineering is, evolution won't be releasing a security patch any time soon. Instead, we will continue to rely on promoting security awareness and education in ways like this article and time worn adages such as "If it sounds too good to be true, it probably is," and "Not everything that glitters is gold," because just as it is true that there is no patch for our cognitive biases, it is equally true in the realm of security that no machine can replace the functionality of a discerning human mind.
Be the first to comment on this story