The following is a guest post by Chris Markman, Academic Technology Specialist at Clark University, where he presses the "fast-forward button" on Hacker Conference videos to give you a summary of the talk in a condensed format, with direct links to resources mentioned in the talk. New posts are available each month in the Security Matters blog column.
Trust Me! I'm a Social Engineer: A Talk About Human Factor Hacking is a presentation delivered by Marcel van der Velde at the 2016 Hacker Hotel conference in the Netherlands. In the Archive.org video description, Marcel is noted as being the 2012 winner of the Sogeti Social Engineering Challenge during the Hack in the Box congress in Amsterdam, and during this talk he shares his experiences working as a security consultant.
After surveying the room for language preference, Marcel was kind enough to deliver this talk in English rather than Dutch; however, the slides are of course in his native language. Do not let that deter you! The presentation begins by drawing parallels between the marketing profession and social engineering, while noting that the traditional "CIA triad" not only is outdated but also ignores what he considers the most important security factor—humans—and recommends Bruce Schneier's book Liars and Outliers as a source of inspiration in that regard.
Right around the 10-minute mark, Marcel defines social engineering as "a psychological thing, manipulating how people think" that requires "being like a magician, showing them the truth, but not their truth, your truth." He then illustrates this through AIDA marketing terminology (attention, interest, desire, and action) and other tricks used to increase sales.
At 15:10 Marcel describes his personal approach to social engineering and shares a number of stories, but never really goes back to this original point about marketing. We do, however, learn some interesting techniques around minute 37 (for example, abstractly referencing the appearance of people you do not know in an organization to find out who they are or what they do), and for the next half hour we hear several very memorable tales from past red team, blue team simulations (you might think some of these go without saying, but we hear some real-world examples describing why you never impersonate a police officer, as well as the importance of working with a team who can bail you out of jail).
At 1:01 Marcel concludes by saying that the bottom-line challenge to counteract social engineering is to get people to think for themselves and understand when pressure is being applied to them. There is a short Q&A a few minutes later, but he saves the best stories for the hotel bar afterward.
As an editorial side note, I know if you are reading this blog post you have probably listened to a presentation about social engineering in the past, or at least understand how it works, so the topic may seem like a repeat—but that's not why I selected it for this month's Fast-Forward blog post. Instead, I suggest listening to this talk and consider for a moment that perhaps a broader approach to social engineering awareness training would go further than most antiphishing education, in the sense that nontechnical users are the most prone to these attacks but also the least likely to recognize the telltale signs of a phish.1 Would security professionals be more successful if they were teaching users to understand how social engineering (and marketing) works first, and phishing e-mails second?
Note
- Learn more about Phishing Simulation Programs.
Chris Markman has been blogging about technology since 2008, first as a volunteer for the Participatory Culture Foundation and later as an MSLIS student at Simmons College and MSIT student at Clark University. Prior to joining the Academic Technology Services team at Clark University in 2014, he managed a film and music library in the Visual and Performing Arts department. Markman is a member of the New England Archivists professional group and several artist collectives in the city of Worcester, Massachusetts.
© 2016 Christopher Markman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.